CVE-2023-33199

ADVISORY - github

Summary

Impact

A malformed proposed entry of the intoto/v0.0.2 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.

Patches

This is fixed in v1.2.0 of Rekor.

Workarounds

No

References

Discovered by OSS-Fuzz

EPSS Score⁠: 0.00111 (0.301)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-617⁠

Reachable Assertion

ADVISORY - github

CWE-617⁠

Reachable Assertion

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-617⁠

Reachable Assertion

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.