CVE-2023-47122

2023-11-1022:15:14

CWE-347

[email protected]

web.nvd.nist.gov

cve-2023-47122

gitsign

rekor

sigstore

api

security vulnerability

keyless git signing

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.0%

JSON

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Affected configurations

Vulners

NVD

Node

sigstoregitsignRange0.6.0–0.8.0

VendorProductVersionCPE
sigstoregitsign*cpe:2.3:a:sigstore:gitsign:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sigstore	gitsign	*	cpe:2.3:a:sigstore:gitsign::::::::

CNA Affected

[
  {
    "vendor": "sigstore",
    "product": "gitsign",
    "versions": [
      {
        "version": ">= 0.6.0, < 0.8.0",
        "status": "affected"
      }
    ]
  }
]