GO-2022-0326
- Source
- https://pkg.go.dev/vuln/GO-2022-0326
- Import Source
- https://vuln.go.dev/ID/GO-2022-0326.json
- JSON Data
- https://api.osv.dev/v1/vulns/GO-2022-0326
- Aliases
- Published
- 2023-11-09T18:00:31Z
- Modified
- 2024-05-20T16:03:47Z
- Summary
- Improper certificate validation in github.com/sigstore/cosign
- Details
-
Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio certificate authority.
- Database specific
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0326" }- References
Affected packages
Go / github.com/sigstore/cosign
Package
- Name
- github.com/sigstore/cosign
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/sigstore/cosign
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.5.2
Ecosystem specific
{
"imports": [
{
"path": "github.com/sigstore/cosign/pkg/cosign",
"symbols": [
"VerifyBundle",
"VerifyImageAttestations",
"VerifyImageSignature",
"VerifyImageSignatures",
"VerifyLocalImageAttestations",
"VerifyLocalImageSignatures"
]
},
{
"path": "github.com/sigstore/cosign/pkg/sget",
"symbols": [
"SecureGet.Do"
]
},
{
"path": "github.com/sigstore/cosign/cmd/cosign/cli/verify",
"symbols": [
"PrintVerificationHeader",
"VerifyAttestationCommand.Exec",
"VerifyCommand.Exec"
]
}
]
}