CVE-2023-25656

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-25656
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25656.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-25656
Aliases
Related
Published
2023-02-20T16:15:10Z
Modified
2025-05-28T10:33:20.178695Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains =#. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the authenticity validation is set to enforce.

References

Affected packages

Git / github.com/notaryproject/notation-go

Affected ranges

Type
GIT
Repo
https://github.com/notaryproject/notation-go
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v0.*

v0.10.0-alpha.3
v0.11.0-alpha.4
v0.12.0-beta.1
v0.7.0-alpha.1
v0.8.0-alpha.1
v0.9.0-alpha.1

v1.*

v1.0.0-rc.1