CVE-2023-33959

HIGH

notaryproject/notation-go < 1.0.0-rc.6 - Improper Verification of Cryptographic Signature

Title source: llm

Description

notation is a CLI tool to sign and verify OCI artifacts and container images. An attacker who has compromised a registry can cause users to verify the wrong artifact. The problem has been fixed in the release v1.0.0-rc.6. Users should upgrade their notation-go library to v1.0.0-rc.6 or above. Users unable to upgrade may restrict container registries to a set of secure and trusted container registries.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r

Scores

CVSS v3 8.3

EPSS 0.0035

EPSS Percentile 27.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-347

Status published

Products (3)

notaryproject/notation-go 1.0.0 rc1 (5 CPE variants)

notaryproject/notation-go < 1.0.0

notaryproject/notation-go 0 - 1.0.0-rc.6Go

Published Jun 06, 2023

Tracked Since Feb 18, 2026