Description

notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2025-01-13T21:37:59.729Z

Last Modified :

2025-01-14T00:26:00.838Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-56138 vulnerability.

Vendors Products
Notaryproject
  • Notation-go
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-56138.

URL Resource
https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102 cve-icon cve-icon
https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact