CVE-2023-25656

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-25656

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25656.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-25656

Aliases

Related

Published

2023-02-20T16:15:10Z

Modified

2025-07-02T00:25:18.783809Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.

References

Affected packages

Git / github.com/notaryproject/notation-go

Affected ranges

Type: GIT
Repo: https://github.com/notaryproject/notation-go
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

de8b7ddaa5b22c6b4c40924ade50d89bfb813a25

Affected versions

v0.*

v0.10.0-alpha.3

v0.11.0-alpha.4

v0.12.0-beta.1

v0.7.0-alpha.1

v0.8.0-alpha.1

v0.9.0-alpha.1

v1.*

v1.0.0-rc.1