CVE-2024-56138

Name of the Vulnerable Software and Affected Versions notation-go versions prior to 1.3.0-rc.2

Description The issue arises from the failure to verify the revocation status of the certificate(s) used to generate the timestamp signature during timestamp signature generation. This oversight creates a potential for Man-in-The-Middle attacks, where an attacker could use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes, as the timestamp signature would fail due to the presence of a revoked certificate(s), potentially disrupting operations.

Recommendations notation-go versions prior to 1.3.0-rc.2: Upgrade to release version 1.3.0-rc.2 or later to address the issue.