CVE-2024-51491: notation-go has an OS error when setting CRL cache leads to denial of signature verification
(updated )
The issue was identified during Quarkslab’s security audit on the Certificate Revocation List (CRL) based revocation check feature. After retrieving the CRL, notation-go attempts to update the CRL cache using the os.Rename method. However, this operation may fail due to operating system-specific limitations, particularly when the source and destination paths are on different mount points. This failure could lead to an unexpected program termination.
References
- github.com/advisories/GHSA-qjh3-4j3h-vmwp
- github.com/notaryproject/notation-go
- github.com/notaryproject/notation-go/commit/3c3302258ad510fbca2f8a73731569d91f07d196
- github.com/notaryproject/notation-go/security/advisories/GHSA-qjh3-4j3h-vmwp
- man7.org/linux/man-pages/man2/rename.2.html
- nvd.nist.gov/vuln/detail/CVE-2024-51491
Detect and mitigate CVE-2024-51491 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →