CVE-2024-51746 – Use of incorrect Rekor entries during verification in gitsign
https://notcve.org/view.php?id=CVE-2024-51746
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. • https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVE-2023-47122 – Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
https://notcve.org/view.php?id=CVE-2023-47122
Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. • https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236 https://github.com/sigstore/gitsign/pull/399 https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc • CWE-347: Improper Verification of Cryptographic Signature •