CVE-2023-33957
LowCVSS 2.6Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
A vulnerability in the CLI tool notation allows an attacker who has compromised a registry to add a high number of signatures to an artifact, potentially leading to denial of service on the machine when a user runs the 'notation inspect' command.
Risk Assessment
The organization may experience service outages, impacting system availability and potentially leading to loss of user trust.
Recommendation
It is recommended to upgrade notation packages to version v1.0.0-rc.6 or above. Users unable to upgrade should restrict container registries to a set of secure and trusted registries.
Original NVD description (English source)
notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry and added a high number of signatures to an artifact can cause denial of service of services on the machine, if a user runs notation inspect command on the same machine. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation packages to v1.0.0-rc.6 or above. Users are advised to upgrade. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

