CVE-2023-33959: 
Wolfi vulnerability analysis and mitigation

notation is a CLI tool to sign and verify OCI artifacts and container images. The vulnerability (CVE-2023-33959) was discovered in versions prior to 1.0.0-rc.6, where an attacker who has compromised a registry can cause users to verify the wrong artifact (Vendor Advisory).

The vulnerability has a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) according to NVD, while GitHub rates it as 8.3 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). The vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

If exploited, an attacker who has control over or has compromised a registry can manipulate users into verifying incorrect artifacts, potentially leading to the execution of unauthorized or malicious code (Vendor Advisory).

The vulnerability has been patched in version 1.0.0-rc.6. Users are strongly advised to upgrade their notation-go library to version 1.0.0-rc.6 or above. As a workaround, users can restrict container registries to a set of secure and trusted container registries (Vendor Advisory).

The vulnerability was discovered during a security audit facilitated by OSTIF and sponsored by CNCF. The notation project acknowledged Adam Korczynski for responsibly disclosing the issue, and Shiwei Zhang and Pritesh Bandi for root cause analysis (Vendor Advisory).