Описание
notation-go's verification bypass can cause users to verify the wrong artifact
Impact
An attacker who controls or compromises a registry can lead a user to verify the wrong artifact.
Patches
The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above.
Workarounds
User should use secure and trusted container registries.
Credits
The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT), Pritesh Bandi (@priteshbandi) for root cause analysis.
Ссылки
- https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r
- https://nvd.nist.gov/vuln/detail/CVE-2023-33959
- https://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64
- https://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c
- https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6
Пакеты
github.com/notaryproject/notation-go
< 1.0.0-rc.6
1.0.0-rc.6
Связанные уязвимости
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.