CVE-2024-51491
CVSS 3.1 Score 3.3 of 10 (low)
Details
Summary
CVE-2024-51491 is a vulnerability affecting the notion-go library used for signing and verifying OCI artifacts. During a security audit, Quarkslab discovered an issue with the Certificate Revocation List (CRL) based revocation check feature. The vulnerability arises when attempting to update the CRL cache using the os.Rename method, which may fail due to operating system-specific limitations. In particular, when the source and destination paths are on different mount points, this failure can lead to unexpected program termination, halting the signature verification process. The vulnerability is specific to Linux distributions, where the temporary files used in the process are stored in a dedicated filesystem (such as tmpfs), mounted on a separate mountpoint. This issue has been addressed in version 1.3.0-rc.2 of the library, and all users are advised to upgrade as soon as possible. There are currently no known workarounds for this vulnerability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.