| id: GO-2023-1832 |
| modules: |
| - module: github.com/notaryproject/notation-go |
| versions: |
| - fixed: 1.0.0-rc.6 |
| vulnerable_at: 1.0.0-rc.5 |
| packages: |
| - package: github.com/notaryproject/notation-go |
| symbols: |
| - Sign |
| - Verify |
| summary: Verification bypass in github.com/notaryproject/notation-go |
| description: |- |
| An attacker who controls or compromises a registry can lead a user to verify the |
| wrong artifact. |
| cves: |
| - CVE-2023-33959 |
| ghsas: |
| - GHSA-xhg5-42rf-296r |
| credits: |
| - Adam Korczynski (@AdamKorcz) |
| - Shiwei Zhang (@shizhMSFT) |
| - Pritesh Bandi (@priteshbandi) |
| references: |
| - advisory: https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r |
| - fix: https://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64 |
| - fix: https://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c |
| - web: https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6 |
| review_status: REVIEWED |