CVE-2024-56138: 
Wolfi vulnerability analysis and mitigation

notion-go is a collection of libraries for supporting sign and verify OCI artifacts based on Notary Project specifications. The vulnerability (CVE-2024-56138) was identified during Quarkslab's audit of the timestamp feature, where during timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. The issue affects versions >= v1.2.0-beta.1 and <= v1.3.0-rc.1 (GitHub Advisory).

During timestamp signature generation, notation-go failed to check the revocation status of the certificate chain used by the TSA (Time Stamping Authority). This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. The vulnerability has been assigned a CVSS v3.1 score of 4.0 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating local attack vector, low attack complexity, no privileges required, and impact primarily on availability (GitHub Advisory).

The vulnerability could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes. The timestamp signature would fail due to the presence of revoked certificate(s), potentially disrupting operations. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by notation (GitHub Advisory).

This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability (GitHub Advisory).