CVE-2024-55655 – sigstore-python has insufficient validation of integration timestamp during verification

https://notcve.org/view.php?id=CVE-2024-55655

10 Dec 2024 — sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as the "v1" bundle format always requ... • https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf • CWE-20: Improper Input Validation CWE-325: Missing Cryptographic Step •