Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-23332
CVE-2024-23332:
vulnerability analysis and mitigation
Overview
The Notary Project, a set of specifications and tools designed to provide a cross-industry standard for securing software supply chains, has identified a vulnerability (CVE-2024-23332) that affects artifact consumers using relaxed trust policies. The vulnerability was discovered and disclosed on January 19, 2024, affecting all versions of the Notary Project's notation package. The vulnerability allows external actors with control of a compromised container registry to serve outdated versions of OCI artifacts, potentially exposing users to previously patched vulnerabilities (GitHub Advisory).
Technical details
The vulnerability specifically impacts artifact consumers who use relaxed trust policies (such as 'permissive' instead of 'strict'). When these policies are in place, consumers may potentially use artifacts with signatures that are no longer valid. The vulnerability has been assigned a CVSS v3.1 base score of 4.0 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:L, indicating network attack vector with high complexity, requiring high privileges and user interaction (NVD).
Impact
If exploited, this vulnerability could lead to the use of outdated artifacts containing known vulnerabilities. In scenarios where a container registry is compromised, attackers could serve older versions of artifacts that may contain security issues, even though these artifacts might have valid but expired signatures. This particularly affects systems using relaxed trust policies, potentially compromising the security of the software supply chain (GitHub Advisory).
Mitigation and workarounds
Several mitigation strategies are available: 1) Artifact publishers should use shorter signature validity periods and implement processes to periodically resign artifacts, 2) Artifact consumers should use 'strict' trust policies that enforce signature expiry, 3) Publishers can sign with short-lived certificates and revoke older certificates when necessary, 4) The Notary Project supports various signature validation options including 'permissive', 'audit', and 'skip' for different scenarios. These mitigations together enable the use of up-to-date artifacts and protect against rollback attacks in case of registry compromise (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management