Cosign Patches Denial of Service Vulnerability Affecting All Services on Impacted Machines
CVE-2024-29903

7.5HIGH

Key Information:

Vendor

Sigstore

Status
Cosign
Vendor
CVE Published:
10 April 2024

What is CVE-2024-29903?

Cosign, a tool designed for code signing and transparency in the container ecosystem, is susceptible to a denial of service attack. Prior to version 2.2.4, specifically crafted untrusted software artifacts can manipulate Cosign's memory allocation, leading to excessive memory usage. This vulnerability arises as it creates slices proportional to the number of signatures, manifests, or attestations in the untrusted artifacts, allowing an attacker to control the memory consumption of the machine running the service. An update to version 2.2.4 addresses this issue and should be applied to mitigate potential exploitation.

Affected Version(s)

cosign < 2.2.4

References

https://github.com/sigstore/cosign/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sigstore/cosign/commit/629f5f8fa672973...
x_refsource_MISC
https://github.com/sigstore/cosign/blob/14795db16417579fa...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.