CVE-2023-33958

Name of the Vulnerable Software and Affected Versions notation versions prior to v1.0.0-rc.6

Description An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation verify command on the same machine. This issue can be exploited by making the registry serve an infinite number of signatures for the artifact. The maxSignatureAttempts in notation verify enables this endless data attack.

Recommendations For notation versions prior to v1.0.0-rc.6, upgrade the notation packages to v1.0.0-rc.6 or above. As a temporary workaround, consider restricting container registries to a set of secure and trusted container registries until a patch is applied.