CVE-2024-56138: notation-go's timestamp signature generation lacks certificate revocation check
(updated )
During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified.
References
- github.com/advisories/GHSA-45v3-38pc-874v
- github.com/notaryproject/notation-go
- github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102
- github.com/notaryproject/notation-go/commit/e99be1954a15673020150c5f8800b8174cd7428d
- github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v
- nvd.nist.gov/vuln/detail/CVE-2024-56138
Detect and mitigate CVE-2024-56138 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →