{"id":"GO-2023-2181","summary":"Denial of service attack from remote registry in github.com/sigstore/cosign","details":"An attacker who controls a remote registry can return a high number of attestations and/or signatures to cosign. This can cause cosign to enter a long loop resulting in a denial of service, i.e., endless data attack.","aliases":["BIT-cosign-2023-46737","CVE-2023-46737","GHSA-vfp6-jrw2-99g9"],"modified":"2026-03-17T04:49:02.574569Z","published":"2023-11-09T18:40:33Z","related":["CGA-vq76-jv6h-3f48"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2023-2181"},"references":[{"type":"FIX","url":"https://github.com/sigstore/cosign/commit/8ac891ff0e29ddc67965423bee8f826219c6eb0f"},{"type":"WEB","url":"https://github.com/sigstore/cosign/releases/tag/v2.2.1"}],"affected":[{"package":{"name":"github.com/sigstore/cosign","ecosystem":"Go","purl":"pkg:golang/github.com/sigstore/cosign"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{"imports":[{"symbols":["FetchSignaturesForReference"],"path":"github.com/sigstore/cosign/pkg/cosign"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2181.json"}},{"package":{"name":"github.com/sigstore/cosign/v2","ecosystem":"Go","purl":"pkg:golang/github.com/sigstore/cosign/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.2.1"}]}],"ecosystem_specific":{"imports":[{"symbols":["FetchSignaturesForReference"],"path":"github.com/sigstore/cosign/v2/pkg/cosign"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2181.json"}}],"schema_version":"1.7.5"}