CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54140 – sigstore-java has a vulnerability with bundle verification
https://notcve.org/view.php?id=CVE-2024-54140
05 Dec 2024 — sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the ... • https://github.com/sigstore/sigstore-conformance/pull/139 • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53267 – Vulnerability with bundle verification in sigstore-java
https://notcve.org/view.php?id=CVE-2024-53267
26 Nov 2024 — sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby "veri... • https://github.com/sigstore/sigstore-conformance/pull/166 • CWE-347: Improper Verification of Cryptographic Signature •