blob: cd5a5f2907d6832a661bac4ea9879c94911d2a02 [file] [log] [blame]
id: GO-2022-0998
modules:
- module: github.com/sigstore/cosign
versions:
- fixed: 1.12.0
vulnerable_at: 1.11.1
packages:
- package: github.com/sigstore/cosign/cmd/cosign/cli/verify
symbols:
- VerifyBlobCmd
- verifySigByUUID
- signatures
- verifyRekorEntry
- verifyRekorBundle
derived_symbols:
- VerifyAttestationCommand.Exec
- VerifyCommand.Exec
- package: github.com/sigstore/cosign/pkg/cosign
symbols:
- VerifySET
derived_symbols:
- TLogUpload
- TLogUploadInTotoAttestation
- VerifyBundle
- VerifyImageAttestations
- VerifyImageSignature
- VerifyImageSignatures
- VerifyLocalImageAttestations
- VerifyLocalImageSignatures
- VerifyTLogEntry
summary: Improper blob verification in github.com/sigstore/cosign
cves:
- CVE-2022-36056
ghsas:
- GHSA-8gw7-4j42-w388
references:
- advisory: https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388
- fix: https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25
- web: https://github.com/sigstore/cosign/releases/tag/v1.12.0
review_status: REVIEWED