Cosign Vulnerability Allows Supply-Chain Escalation, Patch Released
CVE-2024-29902

5.9MEDIUM

Key Information:

Vendor

Sigstore

Status
Cosign
Vendor
CVE Published:
10 April 2024

What is CVE-2024-29902?

Cosign, a tool used for code signing and transparency, has a vulnerability that allows a malicious remote image attachment to cause a denial of service on the machine that runs it. Prior to version 2.2.4, when Cosign retrieves an attachment from a remote image, it loads the entire content into memory without verifying the size. If the attachment is excessively large, it can exhaust the host's memory resources, rendering the server unable to execute other processes, such as maintaining a Redis database, potentially leading to data loss. This risk can escalate through supply chain attacks if an attacker compromises a registry or an image vendor's account, allowing them to include harmful attachments that disrupt services for users. A fix has been implemented in version 2.2.4.

Affected Version(s)

cosign < 2.2.4

References

https://github.com/sigstore/cosign/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sigstore/cosign/commit/629f5f8fa672973...
x_refsource_MISC
https://github.com/google/go-containerregistry/blob/a0658...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.