CVE-2022-35929
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-35929
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35929.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-35929
- Aliases
- Downstream
- Related
- Published
- 2022-08-04T18:45:14Z
- Modified
- 2025-12-04T10:27:16.987838Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- False positive signature verification in cosign
- Details
-
cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists.
cosign verify-attestationused with the--typeflag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be reproduced with thedistroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2image. This image has avulnattestation but not anspdxattestation. However, if you runcosign verify-attestation --type=spdxon this image, it incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign. Users are advised to upgrade. There are no known workarounds for this issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35929.json", "cwe_ids": [ "CWE-347" ], "cna_assigner": "GitHub_M" }- References