CVE-2023-47122

Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Gitsign es un software para la firma Git sin llave mediante Sigstore. En las versiones de gitsign que comienzan con 0.6.0 y anteriores a 0.8.0, las claves públicas de Rekor se obtuvieron a través de la API de Rekor, en lugar de a través del cliente TUF local. Si el servidor Rekor ascendente estuviera comprometido, los clientes de gitsign podrían ser engañados para que confíen en firmas incorrectas. No se conoce ningún compromiso con la instancia de bien público predeterminada (`rekor.sigstore.dev`): cualquiera que use esta instancia no se ve afectado. Este problema se solucionó en v0.8.0. No hay workarounds conocidos disponibles.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-10-30 CVE Reserved
2023-11-10 CVE Published
2023-11-17 EPSS Updated
2024-09-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-347: Improper Verification of Cryptographic Signature

CAPEC

References (4)

URL	Tag	Source
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model	Product

URL	Date	SRC

URL	Date	SRC
https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236	2023-11-16
https://github.com/sigstore/gitsign/pull/399	2023-11-16
https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc	2023-11-16

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sigstore Search vendor "Sigstore"		Gitsign Search vendor "Sigstore" for product "Gitsign"				>= 0.6.0 < 0.8.0 Search vendor "Sigstore" for product "Gitsign" and version " >= 0.6.0 < 0.8.0"		go		Affected