-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from processing an unlimited number of signatures during inspection/listing operations. The pre-patch code in inspect.go and list.go directly used ListSignatures without constraints. The fix introduced a max-signatures parameter and a listSignatures wrapper to enforce limits. The original functions (runInspect and printSignatureManifestDigests) lacked these safeguards, making them vulnerable to resource exhaustion attacks via excessive signature iterations.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/notaryproject/notation | go | < 1.0.0-rc.6 | 1.0.0-rc.6 |