| { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-0326", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "0001-01-01T00:00:00Z", |
| "aliases": [ |
| "CVE-2022-23649", |
| "GHSA-ccxc-vr6p-4858" |
| ], |
| "summary": "Improper certificate validation in github.com/sigstore/cosign", |
| "details": "Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and \"keyless signing\" with Fulcio certificate authority.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/sigstore/cosign", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0" |
| }, |
| { |
| "fixed": "1.5.2" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/sigstore/cosign/pkg/cosign", |
| "symbols": [ |
| "VerifyBundle", |
| "VerifyImageAttestations", |
| "VerifyImageSignature", |
| "VerifyImageSignatures", |
| "VerifyLocalImageAttestations", |
| "VerifyLocalImageSignatures" |
| ] |
| }, |
| { |
| "path": "github.com/sigstore/cosign/pkg/sget", |
| "symbols": [ |
| "SecureGet.Do" |
| ] |
| }, |
| { |
| "path": "github.com/sigstore/cosign/cmd/cosign/cli/verify", |
| "symbols": [ |
| "PrintVerificationHeader", |
| "VerifyAttestationCommand.Exec", |
| "VerifyCommand.Exec" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "FIX", |
| "url": "https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/sigstore/cosign/releases/tag/v1.5.2" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0326", |
| "review_status": "REVIEWED" |
| } |
| } |