CVE-2022-35930
Ability to bypass attestation verification in sigstore PolicyController
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.
PolicyController es una utilidad usada para hacer cumplir la política de la cadena de suministro en los clústeres de Kubernetes. En versiones anteriores a 0.2.1 PolicyController informará de un falso positivo, resultando en una admisión cuando no debería ser admitida cuando se presenta al menos un atestado con una firma válida y NO se presentan atestados del tipo que está siendo verificado (--type por defecto es "custom"). Una imagen de ejemplo que puede usarse para probar esto es "ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2". Los usuarios deben actualizar a versión 0.2.1 para resolver este problema. No se presentan mitigaciones para usuarios que no puedan actualizar
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-07-15 CVE Reserved
- 2022-08-04 CVE Published
- 2024-03-25 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/sigstore/policy-controller/releases/tag/v0.2.1 | Third Party Advisory | |
https://github.com/sigstore/policy-controller/security/advisories/GHSA-739f-hw6h-7wq8 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/sigstore/policy-controller/commit/e852af36fb7d42678b21d7e97503c25bd1fd05c8 | 2022-08-11 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Sigstore Search vendor "Sigstore" | Policy Controller Search vendor "Sigstore" for product "Policy Controller" | < 0.2.1 Search vendor "Sigstore" for product "Policy Controller" and version " < 0.2.1" | - |
Affected
|