Notary Project Notation up to 1.0.1 operation after expiration
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.6 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Notary Project Notation up to 1.0.1. It has been rated as problematic. The impacted element is an unknown function. Performing a manipulation results in operation after expiration. This vulnerability was named CVE-2024-23332. The attack may be initiated remotely. There is no available exploit. To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability, which was classified as problematic, was found in Notary Project Notation up to 1.0.1 (Project Management Software). This affects an unknown function. The manipulation with an unknown input leads to a operation after expiration vulnerability. CWE is classifying the issue as CWE-672. The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. This is going to have an impact on integrity, and availability. The summary by CVE is:
The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts. An external actor with control of a compromised container registry can provide outdated versions of OCI artifacts, such as Images. This could lead artifact consumers with relaxed trust policies (such as `permissive` instead of `strict`) to potentially use artifacts with signatures that are no longer valid, making them susceptible to any exploits those artifacts may contain. In Notary Project, an artifact publisher can control the validity period of artifact by specifying signature expiry during the signing process. Using shorter signature validity periods along with processes to periodically resign artifacts, allows artifact producers to ensure that their consumers will only receive up-to-date artifacts. Artifact consumers should correspondingly use a `strict` or equivalent trust policy that enforces signature expiry. Together these steps enable use of up-to-date artifacts and safeguard against rollback attack in the event of registry compromise. The Notary Project offers various signature validation options such as `permissive`, `audit` and `skip` to support various scenarios. These scenarios includes 1) situations demanding urgent workload deployment, necessitating the bypassing of expired or revoked signatures; 2) auditing of artifacts lacking signatures without interrupting workload; and 3) skipping of verification for specific images that might have undergone validation through alternative mechanisms. Additionally, the Notary Project supports revocation to ensure the signature freshness. Artifact publishers can sign with short-lived certificates and revoke older certificates when necessary. This revocation serves as a signal to inform artifact consumers that the corresponding unexpired artifact is no longer approved by the publisher. This enables the artifact publisher to control the validity of the signature independently of their ability to manage artifacts in a compromised registry.
The weakness was presented 01/20/2024 as GHSA-57wx-m636-g3g8. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2024-23332 since 01/15/2024. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.
Applying the patch cdabdd1042de2999c685fa5d422a785ded9c983a is able to eliminate this problem. The bugfix is ready for download at github.com.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.6VulDB Meta Temp Score: 4.6
VulDB Base Score: 3.1
VulDB Temp Score: 3.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 6.8
NVD Vector: 🔍
CNA Base Score: 4.0
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Operation after expirationCWE: CWE-672
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: cdabdd1042de2999c685fa5d422a785ded9c983a
Timeline
01/15/2024 🔍01/20/2024 🔍
01/20/2024 🔍
02/15/2024 🔍
Sources
Advisory: GHSA-57wx-m636-g3g8Status: Confirmed
CVE: CVE-2024-23332 (🔍)
GCVE (CVE): GCVE-0-2024-23332
GCVE (VulDB): GCVE-100-251643
Entry
Created: 01/20/2024 08:04Updated: 02/15/2024 19:19
Changes: 01/20/2024 08:04 (51), 02/15/2024 19:19 (11)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.