{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T22:01:40.014","vulnerabilities":[{"cve":{"id":"CVE-2024-56138","sourceIdentifier":"security-advisories@github.com","published":"2025-01-13T22:15:14.313","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"notion-go is a collection of libraries for supporting sign and verify OCI artifacts. Based on Notary Project specifications. This issue was identified during Quarkslab's audit of the timestamp feature. During the timestamp signature generation, the revocation status of the certificate(s) used to generate the timestamp signature was not verified. During timestamp signature generation, notation-go did not check the revocation status of the certificate chain used by the TSA. This oversight creates a vulnerability that could be exploited through a Man-in-The-Middle attack. An attacker could potentially use a compromised, intermediate, or revoked leaf certificate to generate a malicious countersignature, which would then be accepted and stored by `notation`. This could lead to denial of service scenarios, particularly in CI/CD environments during signature verification processes because timestamp signature would fail due to the presence of a revoked certificate(s) potentially disrupting operations. This issue has been addressed in release version 1.3.0-rc.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability."},{"lang":"es","value":"notion-go es una colección de Librerías para respaldar la firma y verificación de artefactos OCI. Basado en las especificaciones del Proyecto Notary. Este problema se identificó durante la auditoría de Quarkslab de la característica timestamp. Durante la generación de la firma timestampp, no se verificó el estado de revocación de los certificados utilizados para generar la firma timestampmp. Durante la generación de la firma timestampamp, notation-go no verificó el estado de revocación de la cadena de certificados utilizada por la TSA. Este descuido crea una vulnerabilidad que podría explotarse a través de un ataque Man-in-The-Middle. Un atacante podría potencialmente usar un certificado de hoja comprometido, intermedio o revocado para generar una contrafirma maliciosa, que luego sería aceptada y almacenada por `notation`. Esto podría conducir a escenarios de denegación de servicio, particularmente en entornos CI/CD durante los procesos de verificación de firma, ya que la firma timestamptamp fallaría debido a la presencia de un certificado revocado que podría interrumpir las operaciones. Este problema se ha solucionado en la versión 1.3.0-rc.2 y se recomienda a todos los usuarios que actualicen la versión. No se conocen Workarounds para esta vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":4.0,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":2.5,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-299"}]}],"references":[{"url":"https://github.com/notaryproject/notation-go/commit/e7005a6d13e5ba472d4e166fbb085152f909e102","source":"security-advisories@github.com"},{"url":"https://github.com/notaryproject/notation-go/security/advisories/GHSA-45v3-38pc-874v","source":"security-advisories@github.com"}]}}]}