CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35930 – Ability to bypass attestation verification in sigstore PolicyController
https://notcve.org/view.php?id=CVE-2022-35930
04 Aug 2022 — PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afa... • https://github.com/sigstore/policy-controller/commit/e852af36fb7d42678b21d7e97503c25bd1fd05c8 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-35929 – False positive signature verification in cosign
https://notcve.org/view.php?id=CVE-2022-35929
04 Aug 2022 — cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be... • https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23649 – Improper Certificate Validation in Cosign
https://notcve.org/view.php?id=CVE-2022-23649
18 Feb 2022 — Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio. If an attacker has access to the signature in OCI, they can manipulate cosign in... • https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49 • CWE-295: Improper Certificate Validation •