CVE-2023-47122
Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.
Gitsign es un software para la firma Git sin llave mediante Sigstore. En las versiones de gitsign que comienzan con 0.6.0 y anteriores a 0.8.0, las claves públicas de Rekor se obtuvieron a través de la API de Rekor, en lugar de a través del cliente TUF local. Si el servidor Rekor ascendente estuviera comprometido, los clientes de gitsign podrían ser engañados para que confíen en firmas incorrectas. No se conoce ningún compromiso con la instancia de bien público predeterminada (`rekor.sigstore.dev`): cualquiera que use esta instancia no se ve afectado. Este problema se solucionó en v0.8.0. No hay workarounds conocidos disponibles.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-10-30 CVE Reserved
- 2023-11-10 CVE Published
- 2024-09-03 CVE Updated
- 2024-12-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model | Product |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Sigstore Search vendor "Sigstore" | Gitsign Search vendor "Sigstore" for product "Gitsign" | >= 0.6.0 < 0.8.0 Search vendor "Sigstore" for product "Gitsign" and version " >= 0.6.0 < 0.8.0" | go |
Affected
|