VDB
CVE-2023-33959
CVE-2023-33959
PUBLISHED
CVSS 8.399999618530273 HIGH
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.
EPSS 0.15% · 34.7th percentile
Risk Scores
CVSS v3.1
8.399999618530273
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score
0.15%
34.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| notaryproject | notation-go | 1.0.0, 1.0.0, 1.0.0 |
| github.com | notaryproject/notation-go | 0, 0 |
Timeline
- Jun 6, 2023 CVE Published
- Jun 7, 2023 EPSS Score
- Jun 27, 2023 CVE Updated
- Jul 13, 2023 EPSS Score
- Aug 17, 2023 EPSS Score
- Sep 22, 2023 EPSS Score
- Oct 28, 2023 EPSS Score
- Dec 3, 2023 EPSS Score
- Jan 7, 2024 EPSS Score
- Feb 12, 2024 EPSS Score
- Mar 19, 2024 EPSS Score
- Apr 24, 2024 EPSS Score
References
- https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r url
- https://nvd.nist.gov/vuln/detail/CVE-2023-33959 advisory
- https://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64 url
- https://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c url
- https://github.com/notaryproject/notation-go package
- https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6 url