Summary: The popular sigstore signing tool for OCI containers, Cosign, is vulnerable to a denial of service by an attacker-controlled registry. An attacker can cause Cosign to enter a long loop that prevents other users from verifying their data. Users are advised to update to version 2.2.1 to mitigate this issue.


Cosign is a well-known sigstore signing tool for OCI containers that plays a significant role in ensuring the security and integrity of container images. Unfortunately, a recent vulnerability has been discovered in Cosign, which is susceptible to denial of service attacks by an attacker-controlled registry. The vulnerability has been assigned CVE identifier CVE-2023-46737.

In this particular vulnerability, an attacker who gains control over a remote registry can return an excessive number of attestations and/or signatures to the Cosign client. By doing so, they can cause Cosign to enter a lengthy or even infinite loop, resulting in an 'endless data attack.'

The root cause of this issue lies in Cosign's pkg/cosign.FetchAttestations function, which loops through all attestations fetched from the remote registry without a specified limit.

To exploit the vulnerability, the attacker would first need to compromise the target registry or make a request to a registry they control. They would then need to return a high number of attestations in response to Cosign. Consequently, this would cause Cosign to enter a problematic loop, preventing other users from verifying their images. In Kyverno's case, the attacker could trigger this infinite loop and deny admission requests for other users.

Moreover, if the attacker gains control over an organization's registry, they can disrupt the entire process by returning an extraordinarily high number of attestations, instead of the expected count. This significantly impacts an organization's overall security measures.

To demonstrate the issue, here is a simplified code snippet from pkg/cosign.FetchAttestations that lacks a limit on the number of fetched attestations:

func FetchAttestations(imageRef string) ([]Attestation, error) {
  attestations := []Attestation{}
  for {
    response := fetchAttestationsFromRegistry(imageRef) // This could result in a huge number of attestations being returned from the remote image
    if len(response) ==  {
    attestations = append(attestations, response...)

Fortunately, this issue can be mitigated quite easily by setting a limit on the number of attestations that Cosign will loop through. By setting an appropriate limit, Cosign can function normally within the majority of use cases while preventing the risk of an endless data attack.

To address this vulnerability, the Cosign team has released version 2.2.1, which includes a critical patch to remediate the issue. Users are advised to upgrade to this version as soon as possible to ensure the security and integrity of their container images.

For more information on this vulnerability and the associated patch, please visit the following original references:

1. Cosign GitHub Repository
2. CVE-2023-46737 Details
3. Sigstore Security Advisory

In conclusion, organizations using Cosign should be aware of this vulnerability and update their systems to version 2.2.1. By doing so, they can significantly reduce the risk of a denial of service attack resulting from an attacker-controlled registry and maintain a secure environment for verifying container images.


Published on: 11/07/2023 18:15:09 UTC
Last modified on: 11/14/2023 20:07:50 UTC