{ "id": "CVE-2024-56138", "sourceIdentifier": "security-advisories@github.com", "published": "2025-01-13T22:15:14.313", "lastModified": "2025-01-13T22:15:14.313", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [ { "lang": "en", "value": "notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability." }, { "lang": "es", "value": "notion-go es una colecci\u00f3n de Librer\u00edas para respaldar la firma y verificaci\u00f3n de artefactos OCI. Basado en las especificaciones del Proyecto Notary. Este problema se identific\u00f3 durante la auditor\u00eda de Quarkslab de la caracter\u00edstica timestamp. Durante la generaci\u00f3n de la firma timestampp, no se verific\u00f3 el estado de revocaci\u00f3n de los certificados utilizados para generar la firma timestampmp. Durante la generaci\u00f3n de la firma timestampamp, notation-go no verific\u00f3 el estado de revocaci\u00f3n de la cadena de certificados utilizada por la TSA. Este descuido crea una vulnerabilidad que podr\u00eda explotarse a trav\u00e9s de un ataque Man-in-The-Middle. Un atacante podr\u00eda potencialmente usar un certificado de hoja comprometido, intermedio o revocado para generar una contrafirma maliciosa, que luego ser\u00eda aceptada y almacenada por `notation`. Esto podr\u00eda conducir a escenarios de denegaci\u00f3n de servicio, particularmente en entornos CI/CD durante los procesos de verificaci\u00f3n de firma, ya que la firma timestamptamp fallar\u00eda debido a la presencia de un certificado revocado que podr\u00eda interrumpir las operaciones. Este problema se ha solucionado en la versi\u00f3n 1.3.0-rc.2 y se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen Workarounds para esta vulnerabilidad." } ], "metrics": { "cvssMetricV31": [ { "source": "security-advisories@github.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW" }, "exploitabilityScore": 2.5, "impactScore": 1.4 } ] }, "weaknesses": [ { "source": "security-advisories@github.com", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-299" } ] } ], "references": [ { "url": "https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102", "source": "security-advisories@github.com" }, { "url": "https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v", "source": "security-advisories@github.com" } ] }