EUVD-2023-3067

🗓️ 03 Oct 2025 20:07:09Reported by EUVDType

Gitsign versions 0.6.0 to 0.8.0 had potential key trust issues fixed in v0.8.0. No workarounds exist.

Reporter	Title	Published	Views	Family All 15
CNNVD	Gitsign Security Vulnerabilities	10 Nov 202300:00	–	cnnvd
CVE	CVE-2023-47122	10 Nov 202321:33	–	cve
Cvelist	CVE-2023-47122 Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.	10 Nov 202321:33	–	cvelist
Debian CVE	CVE-2023-47122	10 Nov 202321:33	–	debiancve
Github Security Blog	Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.	14 Nov 202320:31	–	github
NVD	CVE-2023-47122	10 Nov 202322:15	–	nvd
OSV	CVE-2023-47122 Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.	10 Nov 202321:33	–	osv
OSV	GHSA-XVRC-2WVH-49VC Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.	14 Nov 202320:31	–	osv
OSV	GO-2023-2332 Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. in github.com/sigstore/gitsign	21 Aug 202414:30	–	osv
Prion	Design/Logic Flaw	10 Nov 202322:15	–	prion

[
  {
    "enisaIdVendor": [
      {
        "id": "2baa6448-55dc-342c-9fec-a1dbedd66f25",
        "vendor": {
          "name": "sigstore"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "e8606a42-9a39-34cc-921e-bd59c274aaac",
        "product": {
          "name": "gitsign"
        },
        "product_version": "0.6.0, < 0.8.0"
      }
    ]
  }
]

Source	Link
github	www.github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-47122
github	www.github.com/sigstore/gitsign/pull/399
github	www.github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236
docs	www.docs.sigstore.dev/about/threat-model/
github	www.github.com/sigstore/gitsign

03 Oct 2025 20:07Current

5.4Medium risk

Vulners AI Score5.4

CVSS 3.14.2 - 5.3

EPSS0.00099

SSVC