Vulnerability Report: GO-2022-0326

CVE-2022-23649, GHSA-ccxc-vr6p-4858
Affects: github.com/sigstore/cosign
Published: Nov 09, 2023
Modified: May 20, 2024

Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio certificate authority.

Affected Packages

Path

Go Versions

Symbols
github.com/sigstore/cosign/pkg/cosign

before v1.5.2
6 affected symbols
github.com/sigstore/cosign/pkg/sget

before v1.5.2
- SecureGet.Do
github.com/sigstore/cosign/cmd/cosign/cli/verify

before v1.5.2

Aliases

CVE-2022-23649
GHSA-ccxc-vr6p-4858

References

https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49
https://github.com/sigstore/cosign/releases/tag/v1.5.2
https://vuln.go.dev/ID/GO-2022-0326.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL