6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-33958

GHSA ID

GHSA-rvrx-rrwh-r9p6

EPSS Score

0.21292%

CWE

CWE-400

Published

6/6/2023

Updated

11/5/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-33958

CVE-2023-33958: Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact

An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify.

Patches

The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above.

Workarounds

User should use secure and trusted container registries

Credits

The notation project would like to thank Adam Korczynski (@AdamKorcz) for responsibly disclosing the issue found during an security audit (facilitated by OSTIF and sponsored by CNCF) and Shiwei Zhang (@shizhMSFT) for root cause analysis.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-33958

GHSA ID

GHSA-rvrx-rrwh-r9p6

EPSS Score

0.21292%

CWE

CWE-400

Published

6/6/2023

Updated

11/5/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/notaryproject/notation	go	< 1.0.0-rc.6	1.0.0-rc.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from uncontrolled resource consumption (CWE-400) during signature verification. The advisory indicates the default maxSignatureAttempts parameter allowed endless processing of signatures from a compromised registry. The fix in v1.0.0-rc.6 likely introduced a limit check in the signature verification loop. The verifySignatures function (or equivalent) in the verification workflow would be responsible for iterating through signatures, and without a proper maxSignatureAttempts enforcement, it would cause resource exhaustion. This aligns with the vulnerability's impact description and the CWE classification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *n *tt**k*r w*o *ontrols or *ompromis*s * r**istry **n m*k* t** r**istry s*rv* *n in*init* num**r o* si*n*tur*s *or t** *rti***t, **usin* * **ni*l o* s*rvi** to t** *ost m***in* runnin* `not*tion v*ri*y`. ### P*t***s T** pro*l*m **s ***n

Reasoning

T** vuln*r**ility st*ms *rom un*ontroll** r*sour** *onsumption (*W*-***) *urin* si*n*tur* v*ri*i**tion. T** **visory in*i**t*s t** ****ult `m*xSi*n*tur**tt*mpts` p*r*m*t*r *llow** *n*l*ss pro**ssin* o* si*n*tur*s *rom * *ompromis** r**istry. T** *ix

6.5

Basic Information

Concerned about an active attack path?

CVE-2023-33958: Notation's default `maxSignatureAttempts` in `notation verify` enables an endless data attack

Impact

Patches

Workarounds

Credits

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI