GO-2022-0326

Source
https://pkg.go.dev/vuln/GO-2022-0326
Import Source
https://vuln.go.dev/ID/GO-2022-0326.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0326
Aliases
Published
2023-11-09T18:00:31Z
Modified
2024-05-20T16:03:47Z
Summary
Improper certificate validation in github.com/sigstore/cosign
Details

Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio certificate authority.

Database specific
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0326"
}
References

Affected packages

Go / github.com/sigstore/cosign

Package

Name
github.com/sigstore/cosign
View open source insights on deps.dev
Purl
pkg:golang/github.com/sigstore/cosign

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/sigstore/cosign/pkg/cosign",
            "symbols": [
                "VerifyBundle",
                "VerifyImageAttestations",
                "VerifyImageSignature",
                "VerifyImageSignatures",
                "VerifyLocalImageAttestations",
                "VerifyLocalImageSignatures"
            ]
        },
        {
            "path": "github.com/sigstore/cosign/pkg/sget",
            "symbols": [
                "SecureGet.Do"
            ]
        },
        {
            "path": "github.com/sigstore/cosign/cmd/cosign/cli/verify",
            "symbols": [
                "PrintVerificationHeader",
                "VerifyAttestationCommand.Exec",
                "VerifyCommand.Exec"
            ]
        }
    ]
}