GO-2022-0326

Source

https://pkg.go.dev/vuln/GO-2022-0326

Import Source

https://vuln.go.dev/ID/GO-2022-0326.json

Aliases

Published

2023-11-09T18:00:31Z

Modified

2023-11-09T18:26:25.421321Z

Details

Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio certificate authority.

References

Affected packages

Go / github.com/sigstore/cosign

Package

Name: github.com/sigstore/cosign

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.5.2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/sigstore/cosign/pkg/cosign",
            "symbols": [
                "VerifyBundle",
                "VerifyImageAttestations",
                "VerifyImageSignature",
                "VerifyImageSignatures",
                "VerifyLocalImageAttestations",
                "VerifyLocalImageSignatures"
            ]
        },
        {
            "path": "github.com/sigstore/cosign/pkg/sget",
            "symbols": [
                "SecureGet.Do"
            ]
        },
        {
            "path": "github.com/sigstore/cosign/cmd/cosign/cli/verify",
            "symbols": [
                "PrintVerificationHeader",
                "VerifyAttestationCommand.Exec",
                "VerifyCommand.Exec"
            ]
        }
    ]
}