// For flags

CVE-2024-54140

sigstore-java has a vulnerability with bundle verification

Severity Score

2.1
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. There are other mechanisms right now that mitigate this, such as the signed entry timestamp. Sigstore-java currently requires a valid signed entry timestamp. By correctly verifying the signed entry timestamp we can make certain assertions about the log signing the log entry (like the log was aware of the artifact signing event and signed it). Therefore the impact on clients that are not monitors/witnesses is very low. This vulnerability is fixed in 1.2.0.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
None
None
Integrity
Low
None
Availability
None
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-11-29 CVE Reserved
  • 2024-12-05 CVE Published
  • 2024-12-07 EPSS Updated
  • 2024-12-10 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sigstore
Search vendor "Sigstore"
Sigstore-java
Search vendor "Sigstore" for product "Sigstore-java"
< 1.2.0
Search vendor "Sigstore" for product "Sigstore-java" and version " < 1.2.0"
en
Affected