CVE-2024-29902: Cosign malicious attachments can cause system-wide denial of service
A remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial.
References
- github.com/advisories/GHSA-88jx-383q-w4qc
- github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go
- github.com/sigstore/cosign
- github.com/sigstore/cosign/blob/9bc3ee309bf35d2f6e17f5d23f231a3d8bf580bc/pkg/oci/remote/remote.go
- github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
- github.com/sigstore/cosign/releases/tag/v2.2.4
- github.com/sigstore/cosign/security/advisories/GHSA-88jx-383q-w4qc
- nvd.nist.gov/vuln/detail/CVE-2024-29902
Code Behaviors & Features
Detect and mitigate CVE-2024-29902 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →