CVE-2023-30551

Name of the Vulnerable Software and Affected Versions Rekor versions prior to 1.1.1

Description Rekor is an open source software supply chain transparency log that may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large.

Recommendations Update to Rekor version 1.1.1 to resolve the issue. As a temporary workaround, consider restricting the size of files within the META-INF directory of JAR files and the .SIGN and .PKGINFO files within APK files to prevent out of memory crashes. Avoid submitting JAR or APK files with large files in the META-INF directory or .SIGN and .PKGINFO files to Rekor until the issue is resolved.