GO-2022-0326

Source
https://pkg.go.dev/vuln/GO-2022-0326
Import Source
https://vuln.go.dev/ID/GO-2022-0326.json
Aliases
Published
2023-11-09T18:00:31Z
Modified
2023-11-09T18:26:25.421321Z
Details

Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio certificate authority.

References

Affected packages

Go / github.com/sigstore/cosign

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
1.5.2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/sigstore/cosign/pkg/cosign",
            "symbols": [
                "VerifyBundle",
                "VerifyImageAttestations",
                "VerifyImageSignature",
                "VerifyImageSignatures",
                "VerifyLocalImageAttestations",
                "VerifyLocalImageSignatures"
            ]
        },
        {
            "path": "github.com/sigstore/cosign/pkg/sget",
            "symbols": [
                "SecureGet.Do"
            ]
        },
        {
            "path": "github.com/sigstore/cosign/cmd/cosign/cli/verify",
            "symbols": [
                "PrintVerificationHeader",
                "VerifyAttestationCommand.Exec",
                "VerifyCommand.Exec"
            ]
        }
    ]
}