// For flags

CVE-2022-35929

False positive signature verification in cosign

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be reproduced with the `distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2` image. This image has a `vuln` attestation but not an `spdx` attestation. However, if you run `cosign verify-attestation --type=spdx` on this image, it incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign. Users are advised to upgrade. There are no known workarounds for this issue.

cosign es una utilidad de firma y verificación de contenedores. En versiones anteriores a 1.10.1 cosign puede reportar un falso positivo si se presenta alguna atestación. Si es usado "cosign verify-attestation" con el indicador "--type", será informado de un falso positivo en la verificación cuando haya al menos un certificado con una firma válida y NO haya certificados del tipo que está siendo verificado (--type es, por defecto, "custom"). Esto puede ocurrir cuando es firmado con un par de claves estándar y con la firma "keyless" con Fulcio. Esta vulnerabilidad puede reproducirse con la imagen "distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2". Esta imagen presenta una certificación "vuln" pero no una certificación "spdx". Sin embargo, si es ejecutado "cosign verify-attestation --type=spdx" en esta imagen, el resultado es incorrecto. Este problema ha sido abordado en versión 1.10.1 de cosign. Es recomendado a usuarios actualizar. No se presentan mitigaciones conocidas para este problema

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-15 CVE Reserved
  • 2022-08-04 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • 2024-12-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-347: Improper Verification of Cryptographic Signature
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sigstore
Search vendor "Sigstore"
Cosign
Search vendor "Sigstore" for product "Cosign"
< 1.10.1
Search vendor "Sigstore" for product "Cosign" and version " < 1.10.1"
-
Affected