CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54140 – sigstore-java has a vulnerability with bundle verification
https://notcve.org/view.php?id=CVE-2024-54140
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. • https://github.com/sigstore/sigstore-conformance/pull/139 https://github.com/sigstore/sigstore-java/commit/23fb4885e6704a5df4977f7acf253a745349edf9 https://github.com/sigstore/sigstore-java/security/advisories/GHSA-jp26-88mw-89qr • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53267 – Vulnerability with bundle verification in sigstore-java
https://notcve.org/view.php?id=CVE-2024-53267
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby "verifying" a bundle without any proof the signing event was logged. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor's log monitors. • https://github.com/sigstore/sigstore-conformance/pull/166 https://github.com/sigstore/sigstore-java/pull/856 https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w • CWE-347: Improper Verification of Cryptographic Signature •