CVE-2024-29903

Name
CVE-2024-29903
Description
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates. The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests. Version 2.2.4 contains a patch for the vulnerability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955
MISC https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70
MISC https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
MISC https://github.com/sigstore/cosign/releases/tag/v2.2.4
CONFIRM https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv

Match rules

CPE URI Source package Min version Max version
cosign >= 0 < 2.2.4
cpe:2.3:a:sigstore:cosign:-:*:*:*:*:*:*:* cosign >= 0 < 2.2.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
cosign 3.20-community 2.2.1-r5 Ariadne Conill <ariadne@dereferenced.org> possibly vulnerable