Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
notation-go has excessive memory allocation on verification
Vulnerability Description
notation-go is a collection of libraries for supporting Notation sign, verify, push, and pull of oci artifacts. Prior to version 1.0.0-rc.3, notation-go users will find their application using excessive memory when verifying signatures. The application will be killed, and thus availability is impacted. The problem has been patched in the release v1.0.0-rc.3. Some workarounds are available. Users can review their own trust policy file and check if the identity string contains `=#`. Meanwhile, users should only put trusted certificates in their trust stores referenced by their own trust policy files, and make sure the `authenticity` validation is set to `enforce`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不加限制或调节的资源分配
Vulnerability Title
notation-go 安全漏洞
Vulnerability Description
notation-go是notaryproject个人开发者的支持签署和验证 OCI 工件的库集合。 notation-go 1.0.0-rc.3 之前版本存在安全漏洞,该漏洞源于应用程序在验证签名时占用过多内存,最终导致应用程序被 kill,可用性受到影响。
CVSS Information
N/A
Vulnerability Type
N/A