blob: 320c6b1d793aa8e6076d4616ab03e733e0ca5b6c [file] [log] [blame]
id: GO-2023-1832
modules:
- module: github.com/notaryproject/notation-go
versions:
- fixed: 1.0.0-rc.6
vulnerable_at: 1.0.0-rc.5
packages:
- package: github.com/notaryproject/notation-go
symbols:
- Sign
- Verify
summary: Verification bypass in github.com/notaryproject/notation-go
description: |-
An attacker who controls or compromises a registry can lead a user to verify the
wrong artifact.
cves:
- CVE-2023-33959
ghsas:
- GHSA-xhg5-42rf-296r
credits:
- Adam Korczynski (@AdamKorcz)
- Shiwei Zhang (@shizhMSFT)
- Pritesh Bandi (@priteshbandi)
references:
- advisory: https://github.com/notaryproject/notation-go/security/advisories/GHSA-xhg5-42rf-296r
- fix: https://github.com/notaryproject/notation-go/commit/39c8ed050a65cca3f3f308534acb612096735a64
- fix: https://github.com/notaryproject/notation-go/commit/eba60f5aed9c9e05dee55324423c95fe34700b4c
- web: https://github.com/notaryproject/notation-go/releases/tag/v1.0.0-rc.6
review_status: REVIEWED