CVE-2023-25656
Description
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/notaryproject/notation-goGo | < 1.0.0-rc.3 | 1.0.0-rc.3 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/kyvernopkg:apk/chainguard/kyverno-background-controllerpkg:apk/chainguard/kyverno-cleanup-controllerpkg:apk/chainguard/kyverno-clipkg:apk/chainguard/kyverno-init-containerpkg:apk/chainguard/kyverno-reports-controllerpkg:apk/chainguard/zotpkg:apk/wolfi/kyvernopkg:apk/wolfi/kyverno-background-controllerpkg:apk/wolfi/kyverno-cleanup-controllerpkg:apk/wolfi/kyverno-clipkg:apk/wolfi/kyverno-init-containerpkg:apk/wolfi/kyverno-reports-controllerpkg:apk/wolfi/zotpkg:golang/github.com/notaryproject/notation-go
< 1.11.0-r1+ 14 more
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 2.1.2-r7
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 1.11.0-r1
- (no CPE)range: < 2.1.2-r7
- (no CPE)range: < 1.0.0-rc.3
- Range: 1.0.0-rc.3
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-87x9-7grx-m28vghsaADVISORY
- github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28vnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-25656ghsaADVISORY
- github.com/notaryproject/notation-go/pull/275ghsaWEB
- github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.