CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29903 – Cosign vulnerable to machine-wide denial of service via malicious artifacts
https://notcve.org/view.php?id=CVE-2024-29903
10 Apr 2024 — Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign creates slices based on the number of signatures, manifests or attestations in untrusted artifacts. As such, the untrusted artifact can control the amount of memory that Cosign allocates. The exact issue is Cosign allocates excessive memor... • https://github.com/sigstore/cosign/blob/14795db16417579fac0c00c11e166868d7976b61/pkg/cosign/verify.go#L948-L955 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29902 – Cosign vulnerable to system-wide denial of service via malicious attachments
https://notcve.org/view.php?id=CVE-2024-29902
10 Apr 2024 — Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory available such as a Redis database which can result in data loss. It can also impact the availability of other services on the machine that will not be available for the duration of the machine denial. The root cause of this issue is... • https://github.com/google/go-containerregistry/blob/a0658aa1d0cc7a7f1bcc4a3af9155335b6943f40/pkg/v1/remote/layer.go#L36-L40 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46737 – Possible endless data attack from attacker-controlled registry in cosign
https://notcve.org/view.php?id=CVE-2023-46737
07 Nov 2023 — Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long loop resulting in an endless data attack. The root cause is that Cosign loops through all attestations fetched from the remote registry in pkg/cosign.FetchAttestations. The attacker needs to compromise the registry or make a request... • https://github.com/sigstore/cosign/commit/8ac891ff0e29ddc67965423bee8f826219c6eb0f • CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36056 – Vulnerabilities with blob verification in sigstore cosign
https://notcve.org/view.php?id=CVE-2022-36056
14 Sep 2022 — Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is ... • https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-35929 – False positive signature verification in cosign
https://notcve.org/view.php?id=CVE-2022-35929
04 Aug 2022 — cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be... • https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23649 – Improper Certificate Validation in Cosign
https://notcve.org/view.php?id=CVE-2022-23649
18 Feb 2022 — Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio. If an attacker has access to the signature in OCI, they can manipulate cosign in... • https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49 • CWE-295: Improper Certificate Validation •
CVSS: 9.8EPSS: 2%CPEs: 12EXPL: 1CVE-2007-2232 – Cosign 2.0.1/2.9.4a - CGI Check Cookie Command Remote Authentication Bypass
https://notcve.org/view.php?id=CVE-2007-2232
25 Apr 2007 — The CHECK command in Cosign 2.0.1 and earlier allows remote attackers to bypass authentication requirements via CR (\r) sequences in the cosign cookie parameter. El comando CHECK en Cosign 2.0.1 y anterioes permite a atacantes remotos evitar requisitos de validación a través de la secuencia CR (\r) en el parámetro de la cookie cosign. • https://www.exploit-db.com/exploits/29842 •
CVSS: 8.8EPSS: 2%CPEs: 13EXPL: 1CVE-2007-2233 – Cosign 2.0.1/2.9.4a - CGI Register Command Remote Authentication Bypass
https://notcve.org/view.php?id=CVE-2007-2233
25 Apr 2007 — cosign-bin/cosign.cgi in Cosign 2.0.2 and earlier allows remote authenticated users to perform unauthorized actions as an arbitrary user by using CR (\r) sequences in the service parameter to inject LOGIN and REGISTER commands with the desired username. En el cosign-bin/cosign.cgi en Cosign versión 2.0.2 y anteriores permite a los usuarios autenticados remotos realizar acciones no autorizadas como un usuario arbitrario mediante el uso de secuencias CR (\r) en el parámetro service para inyectar los comandos ... • https://www.exploit-db.com/exploits/29844 •