CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51746 – Use of incorrect Rekor entries during verification in gitsign
https://notcve.org/view.php?id=CVE-2024-51746
05 Nov 2024 — Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be... • https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47122 – Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
https://notcve.org/view.php?id=CVE-2023-47122
10 Nov 2023 — Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0.... • https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model • CWE-347: Improper Verification of Cryptographic Signature •