// For flags

CVE-2022-23649

Improper Certificate Validation in Cosign

Severity Score

3.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio. If an attacker has access to the signature in OCI, they can manipulate cosign into believing the entry was stored in Rekor even though it wasn't. The vulnerability has been patched in v1.5.2 of Cosign. The `signature` in the `signedEntryTimestamp` provided by Rekor is now compared to the `signature` that is being verified. If these don't match, then an error is returned. If a valid bundle is copied to a different signature, verification should fail. Cosign output now only informs the user that certificates were verified if a certificate was in fact verified. There is currently no known workaround.

Cosign proporciona firma de contenedores, verificación y almacenamiento en un registro OCI para el proyecto sigstore. En versiones anteriores a 1.5.2, Cosign puede ser manipulado para afirmar que se presenta una entrada para una firma en el registro de transparencia de Rekor aunque no sea así. Esto requiere que el atacante tenga permisos pull y push para la firma en OCI. Esto puede ocurrir tanto con la firma estándar con un par de claves como con "keyless signing" con Fulcio. Si un atacante presenta acceso a la firma en OCI, puede manipular la cosigna para que crea que la entrada fue almacenada en Rekor aunque no lo haya sido. La vulnerabilidad ha sido parcheada en versión v1.5.2 de Cosign. La "signature" en "signedEntryTimestamp" proporcionado por Rekor es comparado ahora con el "signature" que esta siendo verificando. Si no coinciden, es devuelto un error. Si es copiado un paquete válido con una firma diferente, la verificación debería fallar. La salida de Cosign ahora sólo informa al usuario de que los certificados han sido verificados si un certificado ha sido verificado realmente. Actualmente no es conocida ninguna medida de mitigación

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-19 CVE Reserved
  • 2022-02-18 CVE Published
  • 2023-09-11 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-295: Improper Certificate Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sigstore
Search vendor "Sigstore"
Cosign
Search vendor "Sigstore" for product "Cosign"
< 1.5.2
Search vendor "Sigstore" for product "Cosign" and version " < 1.5.2"
-
Affected