CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55655 – sigstore-python has insufficient validation of integration timestamp during verification
https://notcve.org/view.php?id=CVE-2024-55655
10 Dec 2024 — sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as the "v1" bundle format always requ... • https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf • CWE-20: Improper Input Validation CWE-325: Missing Cryptographic Step •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54140 – sigstore-java has a vulnerability with bundle verification
https://notcve.org/view.php?id=CVE-2024-54140
05 Dec 2024 — sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the ... • https://github.com/sigstore/sigstore-conformance/pull/139 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53267 – Vulnerability with bundle verification in sigstore-java
https://notcve.org/view.php?id=CVE-2024-53267
26 Nov 2024 — sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby "veri... • https://github.com/sigstore/sigstore-conformance/pull/166 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51746 – Use of incorrect Rekor entries during verification in gitsign
https://notcve.org/view.php?id=CVE-2024-51746
05 Nov 2024 — Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be... • https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45395 – Unbounded loop over untrusted input can lead to endless data attack
https://notcve.org/view.php?id=CVE-2024-45395
04 Sep 2024 — sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF's... • https://github.com/sigstore/sigstore-go/blob/725e508ed4933e6f5b5206e32af4bbe76f587b54/pkg/verify/signature.go#L183-L193 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29903 – Cosign vulnerable to machine-wide denial of service via malicious artifacts
https://notcve.org/view.php?id=CVE-2024-29903
10 Apr 2024 — Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates. The exact issue is Cosign allocates excessive memor... • https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29902 – Cosign vulnerable to system-wide denial of service via malicious attachments
https://notcve.org/view.php?id=CVE-2024-29902
10 Apr 2024 — Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial. The root cause of this issue is... • https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47122 – Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
https://notcve.org/view.php?id=CVE-2023-47122
10 Nov 2023 — Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0.... • https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46737 – Possible endless data attack from attacker-controlled registry in cosign
https://notcve.org/view.php?id=CVE-2023-46737
07 Nov 2023 — Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in pkg/cosign.FetchAttestations. The attacker needs to compromise the registry or make a request... • https://github.com/sigstore/cosign/commit/8ac891ff0e29ddc67965423bee8f826219c6eb0f • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36056 – Vulnerabilities with blob verification in sigstore cosign
https://notcve.org/view.php?id=CVE-2022-36056
14 Sep 2022 — Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is ... • https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25 • CWE-347: Improper Verification of Cryptographic Signature •