CVE-2015-9258: Docker Notary Signature Algorithm Not Matched to Key vulnerability

May 14, 2022 (updated August 2, 2023)

In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature Algorithm Not Matched to Key vulnerability. Because an attacker controls the field specifying the signature algorithm, they might (for example) be able to forge a signature by forcing a misinterpretation of an RSA-PSS key as Ed25519 elliptic-curve data.

References

github.com/advisories/GHSA-785h-hrf7-gqxc
github.com/theupdateframework/notary/blob/master/docs/resources/ncc_docker_notary_audit_2015_07_31.pdf
nvd.nist.gov/vuln/detail/CVE-2015-9258
web.archive.org/web/20160305015752/https://docs.docker.com/notary/changelog/

Code Behaviors & Features

Detect and mitigate CVE-2015-9258 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →