CVE-2024-29902

Name of the Vulnerable Software and Affected Versions Cosign versions prior to 2.2.4

Description Cosign provides code signing and transparency for containers and binaries. A remote image with a malicious attachment can cause denial of service of the host machine running Cosign, impacting other services on the machine that rely on having memory available, such as a Redis database, which can result in data loss. The root cause of this issue is that Cosign reads the attachment from a remote image entirely into memory without checking the size of the attachment first. This can allow a supply-chain escalation from a compromised registry to the Cosign user. If an attacher has compromised a registry or the account of an image vendor, they can include a malicious attachment and hurt the image consumer.

Recommendations Update to version 2.2.4 or later, which limits the number of attachments and includes a patch for the vulnerability. As a temporary workaround, consider restricting the size of attachments that can be read into memory to prevent denial of service. Additionally, an environment variable can override the default value for the number of attachments.