We use cookies to improve your experience on our site.
AVID-2026-R1457
Description
Cosign vulnerable to machine-wide denial of service via malicious artifacts (CVE-2024-29903)
Details
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates. The exact issue is Cosign allocates excessive memory on the lines that creates a slice of the same length as the manifests. Version 2.2.4 contains a patch for the vulnerability.
Reason for inclusion in AVID: CVE-2024-29903 describes a denial-of-service vulnerability in cosign, a software supply chain tool used to sign/verify artifacts in CI/CD pipelines. This affects the artifact signing/verification step, which is a component of the software supply chain for AI deployments, making it relevant to general-purpose AI system stacks. It is a security vulnerability (DoS) with available CVE details and a patch in version 2.2.4. Sufficient evidence is provided in the report and references.
References
- NVD entry
- https://github.com/sigstore/cosign/security/advisories/GHSA-95pr-fxf5-86gv
- https://github.com/sigstore/cosign/commit/629f5f8fa672973503edde75f84dcd984637629e
- https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955
- https://github.com/sigstore/cosign/blob/286a98a4a99c1b2f32f84b0d560e324100312280/pkg/oci/remote/signatures.go#L56-L70
- https://github.com/sigstore/cosign/releases/tag/v2.2.4
Affected or Relevant Artifacts
- Developer: sigstore
- Deployer: sigstore
- Artifact Details:
| Type | Name |
|---|---|
| System | cosign |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H |
| Base Score | 4.2 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🔴 High |
| Privileges Required | 🔴 High |
| User Interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-770 | CWE-770: Allocation of Resources Without Limits or Throttling |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-04-10
- Version: 0.3.3
- AVID Entry