CVE-2023-30551

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-30551

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-30551.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-30551

Aliases

Related

Published

2023-05-08T16:15:09Z

Modified

2025-01-08T14:58:10.051298Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.

References

Affected packages

Git / github.com/sigstore/rekor

Affected ranges

Type: GIT
Repo: https://github.com/sigstore/rekor
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

cf42ace82667025fe128f7a50cf6b4cdff51cc48

Fixed

cf42ace82667025fe128f7a50cf6b4cdff51cc48

Affected versions

v0.*

v0.1.0

v0.1.1

v0.10.0

v0.11.0

v0.12.0

v0.12.1

v0.2.0

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v0.9.1

v1.*

v1.0-rc

v1.0.0

v1.0.0-rc.1

v1.1.0