CVE-2023-25656

Summary

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.

Affected Software

VendorProductVersion RangeStatus
notaryprojectnotation-go1.0.0-rc.3 < 1.0.0-rc.3affected

Weaknesses

  • CWE-770: CWE-770 Allocation of Resources Without Limits or Throttling

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References