CVE-2023-25656: 
Wolfi vulnerability analysis and mitigation

CVE-2023-25656 is a vulnerability discovered in notation-go, a collection of libraries for supporting Notation sign and verify functionality. The vulnerability was disclosed on February 20, 2023, affecting versions <= 0.9.0-alpha.1 of the github.com/notaryproject/notation-go package (GitHub Advisory).

The vulnerability is classified as a resource exhaustion issue with a CVSS v3.1 base score of 6.5 (Moderate). The attack vector is Network-based with low attack complexity, requiring no privileges but necessitating user interaction. The vulnerability has no impact on confidentiality or integrity but has a high impact on availability (GitHub Advisory).

When exploited, the vulnerability causes excessive memory allocation during signature verification processes. This leads to applications consuming excessive memory resources until they are eventually killed, resulting in a significant availability impact (GitHub Advisory).

Users are advised to upgrade their notation-go packages to version 1.0.0-rc.3 or above, which contains the patch for this vulnerability. As a workaround, users should review their trust policy files for identity strings containing '=#' and ensure that only trusted certificates are present in trust stores referenced by their trust policy files (GitHub Advisory).