logo

Database

Insecure digital certificates In github.com/notaryproject/notation-go

Description

notation-go's verification bypass can cause users to verify the wrong artifact

Impact

An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.

Patches

The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above.

Workarounds

User should use secure and trusted container registries.

Credits

The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-339592. NVD-2023-339593. OSV-2023-339594. GHSA-xhg5-42rf-296r5. GCVE-2023-33959

References

1. https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r2. https://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a643. https://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c4. https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.