CVE-2023-33959

Published: Jun 6, 2023

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

8.4

HIGH

Description

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

Vendor	Product	Versions
notaryproject	notation-go	affected `< 1.0.0-rc.6`

Weaknesses (CWE)

CWE-347

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-33959

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References