-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/notaryproject/notation | go | < 1.0.0-rc.6 | 1.0.0-rc.6 |
GoGoMiggo AIRoot Cause AnalysisThe vulnerability stems from uncontrolled resource consumption (CWE-400) during signature verification. The advisory indicates the default maxSignatureAttempts parameter allowed endless processing of signatures from a compromised registry. The fix in v1.0.0-rc.6 likely introduced a limit check in the signature verification loop. The verifySignatures function (or equivalent) in the verification workflow would be responsible for iterating through signatures, and without a proper maxSignatureAttempts enforcement, it would cause resource exhaustion. This aligns with the vulnerability's impact description and the CWE classification.
Ongoing coverage of React2Shell