Sigstore Timestamp Authority Excessive Memory Allocation Vulnerability

A vulnerability in Sigstore Timestamp Authority versions through 2.0.2 allows for excessive memory allocation during request parsing. The issue arises in the 'ParseJSONRequest' and 'getContentType' functions, which split untrusted data on periods and 'application' strings, respectively. This behavior can be exploited with malicious requests containing long OIDs or malformed 'Content-Type' headers, leading to O(n) byte allocations, where n is the length of the input. This vulnerability is categorized under CWE-405: Asymmetric Resource Consumption (Amplification).

Impact

Exploitation of this vulnerability causes excessive memory allocation, which can lead to performance degradation or denial-of-service conditions.

Remediation

Users are advised to upgrade to Sigstore Timestamp Authority version 2.0.3. If the service is behind a load balancer, configure the load balancer to reject excessively large requests.