CVE-2023-33957: 
vulnerability analysis and mitigation

notation is a CLI tool to sign and verify OCI artifacts and container images. The vulnerability (CVE-2023-33957) was discovered and disclosed in June 2023, affecting versions prior to 1.0.0-rc.6. The vulnerability allows an attacker who has compromised a registry to cause denial of service on machines running notation inspect command by adding a high number of signatures to an artifact (GitHub Advisory, NVD).

The vulnerability stems from the lack of limits on the number of signatures that can be processed when inspecting an artifact. When a registry serves an infinite number of signatures for an artifact, it can cause excessive resource consumption on the host machine running notation verify or inspect commands. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 MEDIUM by NVD (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) and 2.6 LOW by GitHub (Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:N/A:L) (NVD).

If exploited, this vulnerability can lead to denial of service of services on the machine where the notation inspect command is run. The impact is primarily on the availability of the system, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in version 1.0.0-rc.6. Users are advised to upgrade their notation packages to v1.0.0-rc.6 or above. For users unable to upgrade, a workaround is to restrict container registries to a set of secure and trusted container registries (NVD).

The notation project acknowledged the contribution of Adam Korczynski for responsibly disclosing the issue found during a security audit facilitated by OSTIF and sponsored by CNCF. Shiwei Zhang was credited for root cause analysis (GitHub Advisory).