notaryproject notation-go up to 1.3.0-rc.1 improper check for certificate revocation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.8 | $0-$5k | 0.00 |
Summary
A vulnerability was found in notaryproject notation-go up to 1.3.0-rc.1 and classified as problematic. This issue affects some unknown processing. The manipulation results in improper check for certificate revocation. This vulnerability is reported as CVE-2024-56138. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.
Details
A vulnerability was found in notaryproject notation-go up to 1.3.0-rc.1. It has been classified as problematic. Affected is an unknown code. The manipulation with an unknown input leads to a improper check for certificate revocation vulnerability. CWE is classifying the issue as CWE-299. The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised. This is going to have an impact on availability. CVE summarizes:
notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
The advisory is shared for download at github.com. This vulnerability is traded as CVE-2024-56138 since 12/16/2024. The exploitability is told to be difficult. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1557.003.
The vulnerability scanner Nessus provides a plugin with the ID 214906 (SUSE SLES15 / openSUSE 15 Security Update : govulncheck-vulndb (SUSE-SU-2025:0297-1)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 1.3.0-rc.2 eliminates this vulnerability.
The vulnerability is also documented in the vulnerability database at Tenable (214906). Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.8VulDB Meta Temp Score: 3.8
VulDB Base Score: 3.7
VulDB Temp Score: 3.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 4.0
CNA Vector (GitHub_M): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Improper check for certificate revocationCWE: CWE-299 / CWE-298 / CWE-295
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 214906
Nessus Name: SUSE SLES15 / openSUSE 15 Security Update : govulncheck-vulndb (SUSE-SU-2025:0297-1)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: notation-go 1.3.0-rc.2
Timeline
12/16/2024 🔍01/13/2025 🔍
01/13/2025 🔍
02/04/2025 🔍
Sources
Product: github.comAdvisory: github.com
Status: Confirmed
CVE: CVE-2024-56138 (🔍)
GCVE (CVE): GCVE-0-2024-56138
GCVE (VulDB): GCVE-100-291372
Entry
Created: 01/13/2025 23:11Updated: 02/04/2025 12:49
Changes: 01/13/2025 23:11 (63), 02/04/2025 12:49 (2)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.