Vulnerability Report: GO-2023-2181

CVE-2023-46737, GHSA-vfp6-jrw2-99g9
Affects: github.com/sigstore/cosign, github.com/sigstore/cosign/v2
Published: Nov 09, 2023
Modified: May 20, 2024

An attacker who controls a remote registry can return a high number of attestations and/or signatures to cosign. This can cause cosign to enter a long loop resulting in a denial of service, i.e., endless data attack.

Affected Packages

Path

Go Versions

Symbols
github.com/sigstore/cosign/pkg/cosign

all versions, no known fixed
- FetchSignaturesForReference
github.com/sigstore/cosign/v2/pkg/cosign

before v2.2.1
- FetchSignaturesForReference

Aliases

CVE-2023-46737
GHSA-vfp6-jrw2-99g9

References

https://github.com/sigstore/cosign/commit/8ac891ff0e29ddc67965423bee8f826219c6eb0f
https://github.com/sigstore/cosign/releases/tag/v2.2.1
https://vuln.go.dev/ID/GO-2023-2181.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL