Description

notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.

Classification

CVE ID: CVE-2023-25656

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

Affected Products

Vendor: notaryproject

Product: notation-go

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.1% (probability of being exploited)

EPSS Percentile: 42.95% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.3
https://github.com/notaryproject/notation-go/security/advisories/GHSA-87x9-7grx-m28v

Timeline