CVE-2023-46737: 
NixOS vulnerability analysis and mitigation

Cosign, a sigstore signing tool for OCI containers, was found to be vulnerable to a denial of service attack (CVE-2023-46737) discovered in November 2023. The vulnerability affects versions up to and including 2.2.0, with a patch available in version 2.2.1. The issue allows an attacker who controls a remote registry to return a high number of attestations and/or signatures to Cosign, causing it to enter a long loop resulting in an endless data attack (GitHub Advisory).

The vulnerability stems from an unchecked loop in Cosign's pkg/cosign.FetchAttestations function that processes all attestations fetched from the remote registry. The root cause is that Cosign did not implement any limits on the number of attestations it would process, making it susceptible to an endless data attack. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating network attack vector with high complexity, no privileges required, and user interaction required (GitHub Advisory).

The vulnerability can be exploited to cause a denial of service condition, preventing users from verifying their data. In specific scenarios, such as in Kyverno's case, an attacker with limited cluster access privileges can trigger the infinite loop by making a request with an image reference to their controlled registry, effectively denying other users from completing their admission requests. The attack could also be used as a type of rollback attack to prevent security upgrades by causing Cosign to get stuck in an infinite loop (GitHub Advisory).

The vulnerability has been patched in Cosign version 2.2.1. The fix implements a simple limit on the number of attestations that Cosign will process, preventing the endless data attack while maintaining functionality for the vast majority of use cases. Users are advised to upgrade to version 2.2.1 or later (GitHub Advisory, GitHub Patch).