CVE-2023-46737

Name of the Vulnerable Software and Affected Versions Cosign versions prior to 2.2.1

Description The issue is a denial of service vulnerability that can be exploited by an attacker who controls a remote registry. The attacker can return a high number of attestations and/or signatures to Cosign, causing it to enter a long or infinite loop. This results in an endless data attack, preventing other users from verifying their data. The root cause is that Cosign loops through all attestations fetched from the remote registry in pkg/cosign.FetchAttestations. The attacker needs to compromise the registry or make a request to a registry they control and return a high number of attestations in the response to Cosign.

Recommendations For versions prior to 2.2.1, the issue can be mitigated by setting a limit to the number of attestations that Cosign will loop through. It is recommended to upgrade to version 2.2.1 or later, which includes a patch for this issue. As a temporary workaround, consider setting a limit to the number of attestations to prevent the endless data attack.