Low severityNVD Advisory· Published Nov 7, 2023· Updated Sep 4, 2024

Possible endless data attack from attacker-controlled registry in cosign

CVE-2023-46737

Description

Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in pkg/cosign.FetchAttestations. The attacker needs to compromise the registry or make a request to a registry they control. When doing so, the attacker must return a high number of attestations in the response to Cosign. The result will be that the attacker can cause Cosign to go into a long or infinite loop that will prevent other users from verifying their data. In Kyvernos case, an attacker whose privileges are limited to making requests to the cluster can make a request with an image reference to their own registry, trigger the infinite loop and deny other users from completing their admission requests. Alternatively, the attacker can obtain control of the registry used by an organization and return a high number of attestations instead the expected number of attestations. The issue can be mitigated rather simply by setting a limit to the limit of attestations that Cosign will loop through. The limit does not need to be high to be within the vast majority of use cases and still prevent the endless data attack. This issue has been patched in version 2.2.1 and users are advised to upgrade.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/sigstore/cosignGo	< 1.13.2	1.13.2
github.com/sigstore/cosign/v2Go	< 2.2.1	2.2.1

Affected products

Sigstore/Cosignv5
Range: < 2.2.1

Patches

8ac891ff0e29

Merge pull request from GHSA-vfp6-jrw2-99g9

https://github.com/sigstore/cosignAdamKorczNov 7, 2023via ghsa

commit

2 files changed · +123 −0

pkg/cosign/fetch.go+9 −0 modified

@@ -34,6 +34,8 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
+const maxAllowedSigsOrAtts = 100
+
 type SignedPayload struct {
 	Base64Signature  string
 	Payload          []byte
@@ -84,6 +86,9 @@ func FetchSignaturesForReference(_ context.Context, ref name.Reference, opts ...
 	if len(l) == 0 {
 		return nil, fmt.Errorf("no signatures associated with %s", ref)
 	}
+	if len(l) > maxAllowedSigsOrAtts {
+		return nil, fmt.Errorf("maximum number of signatures on an image is %d, found %d", maxAllowedSigsOrAtts, len(l))
+	}
 
 	signatures := make([]SignedPayload, len(l))
 	var g errgroup.Group
@@ -145,6 +150,10 @@ func FetchAttestations(se oci.SignedEntity, predicateType string) ([]Attestation
 	if len(l) == 0 {
 		return nil, errors.New("found no attestations")
 	}
+	if len(l) > maxAllowedSigsOrAtts {
+		errMsg := fmt.Sprintf("maximum number of attestations on an image is %d, found %d", maxAllowedSigsOrAtts, len(l))
+		return nil, errors.New(errMsg)
+	}
 
 	attestations := make([]AttestationPayload, 0, len(l))
 	var attMu sync.Mutex

test/e2e_test.go+114 −0 modified

@@ -661,6 +661,88 @@ func TestAttestationReplaceCreate(t *testing.T) {
 	}
 }
 
+func TestExcessiveAttestations(t *testing.T) {
+	repo, stop := reg(t)
+	defer stop()
+	td := t.TempDir()
+
+	imgName := path.Join(repo, "cosign-attest-download-e2e")
+
+	_, _, cleanup := mkimage(t, imgName)
+	defer cleanup()
+
+	_, privKeyPath, _ := keypair(t, td)
+	ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc}
+
+	ctx := context.Background()
+
+	slsaAttestation := `{ "buildType": "x", "builder": { "id": "2" }, "recipe": {} }`
+	slsaAttestationPath := filepath.Join(td, "attestation.slsa.json")
+	if err := os.WriteFile(slsaAttestationPath, []byte(slsaAttestation), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	vulnAttestation := `
+	{
+    "invocation": {
+      "parameters": null,
+      "uri": "invocation.example.com/cosign-testing",
+      "event_id": "",
+      "builder.id": ""
+    },
+    "scanner": {
+      "uri": "fakescanner.example.com/cosign-testing",
+      "version": "",
+      "db": {
+        "uri": "",
+        "version": ""
+      },
+      "result": null
+    },
+    "metadata": {
+      "scanStartedOn": "2022-04-12T00:00:00Z",
+      "scanFinishedOn": "2022-04-12T00:10:00Z"
+    }
+}
+`
+	ref, err := name.ParseReference(imgName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	regOpts := options.RegistryOptions{}
+	ociremoteOpts, err := regOpts.ClientOpts(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	for i := 0; i < 102; i++ {
+		vulnAttestationPath := filepath.Join(td, fmt.Sprintf("attestation-%d.vuln.json", i))
+		if err := os.WriteFile(vulnAttestationPath, []byte(vulnAttestation), 0600); err != nil {
+			t.Fatal(err)
+		}
+
+		// Attest to create a vuln attestation
+		attestCommand := attest.AttestCommand{
+			KeyOpts:       ko,
+			PredicatePath: vulnAttestationPath,
+			PredicateType: "vuln",
+			Timeout:       30 * time.Second,
+			Replace:       false,
+		}
+		must(attestCommand.Exec(ctx, imgName), t)
+	}
+
+	attOpts := options.AttestationDownloadOptions{}
+	_, err = cosign.FetchAttestationsForReference(ctx, ref, attOpts.PredicateType, ociremoteOpts...)
+	if err == nil {
+		t.Fatalf("Expected an error, but 'err' was 'nil'")
+	}
+	expectedError := "maximum number of attestations on an image is 100, found 102"
+	if err.Error() != expectedError {
+		t.Errorf("Exted the error to be: '%s' but it was '%s'", expectedError, err.Error())
+	}
+}
+
 func TestAttestationReplace(t *testing.T) {
 	repo, stop := reg(t)
 	defer stop()
@@ -1254,6 +1336,38 @@ func TestDuplicateSign(t *testing.T) {
 	}
 }
 
+func TestExcessiveSignatures(t *testing.T) {
+	repo, stop := reg(t)
+	defer stop()
+	td := t.TempDir()
+
+	imgName := path.Join(repo, "cosign-e2e")
+
+	_, _, cleanup := mkimage(t, imgName)
+	defer cleanup()
+
+	ctx := context.Background()
+
+	for i := 0; i < 102; i++ {
+		_, privKeyPath, _ := keypair(t, td)
+
+		// Sign the image
+		ko := options.KeyOpts{KeyRef: privKeyPath, PassFunc: passFunc}
+		so := options.SignOptions{
+			Upload: true,
+		}
+		must(sign.SignCmd(ro, ko, so, []string{imgName}), t)
+	}
+	err := download.SignatureCmd(ctx, options.RegistryOptions{}, imgName)
+	if err == nil {
+		t.Fatal("Expected an error, but 'err' was 'nil'")
+	}
+	expectedErr := "maximum number of signatures on an image is 100, found 102"
+	if err.Error() != expectedErr {
+		t.Fatalf("Expected the error '%s', but got the error '%s'", expectedErr, err.Error())
+	}
+}
+
 func TestKeyURLVerify(t *testing.T) {
 	// TODO: re-enable once distroless images are being signed by the new client
 	t.Skip()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vfp6-jrw2-99g9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-46737ghsaADVISORY
github.com/sigstore/cosign/commit/8ac891ff0e29ddc67965423bee8f826219c6eb0fghsax_refsource_MISCWEB
github.com/sigstore/cosign/pull/3364ghsaWEB
github.com/sigstore/cosign/releases/tag/v1.13.2ghsaWEB
github.com/sigstore/cosign/releases/tag/v2.2.1ghsaWEB
github.com/sigstore/cosign/security/advisories/GHSA-vfp6-jrw2-99g9ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000