An attacker who controls a remote registry can return a high number of attestations and/or signatures to cosign. This can cause cosign to enter a long loop resulting in a denial of service, i.e., endless data attack.
{ "imports": [ { "path": "github.com/sigstore/cosign/pkg/cosign", "symbols": [ "FetchSignaturesForReference" ] } ] }
{ "imports": [ { "path": "github.com/sigstore/cosign/v2/pkg/cosign", "symbols": [ "FetchSignaturesForReference" ] } ] }