CVE-2023-33957

Name of the Vulnerable Software and Affected Versions notation versions prior to v1.0.0-rc.6

Description The issue allows an attacker who has compromised a registry and added a high number of signatures to an artifact to cause denial of service of services on the machine, if a user runs the notation inspect command on the same machine. An attacker who controls or compromises a registry can make the registry serve an infinite number of signatures for the artifact, causing a denial of service to the host machine running notation verify.

Recommendations For versions prior to v1.0.0-rc.6, upgrade the notation packages to v1.0.0-rc.6 or above. As a temporary workaround, restrict container registries to a set of secure and trusted container registries. Use secure and trusted container registries to minimize the risk of exploitation.