Lucene search
GitHub Advisory DatabaseGHSA-739F-HW6H-7WQ8HistoryAug 10, 2022 - 6:38 p.m.
PolicyController before 0.2.1 may bypass attestation verification
2022-08-1018:38:16
CWE-347
GitHub Advisory Database
github.com
13
policycontroller
attestation verification
false positive
admission
upgrade
cosign
patch
security vulnerability
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.9%
PolicyController will report a false positive, resulting in an admission when it should not be admitted when:
- There is at least one attestation with a valid signature
- There are NO attestations of the type being verified (–type defaults to “custom”)
Users should upgrade to cosign version 0.2.1 or greater for a patch. There are no known workarounds at this time.
Affected configurations
Node
github.com\/sigstore\/policycontrollerRange<0.2.1
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/sigstore/policy-controller | lt | 0.2.1 |
References
Related
cve
cve
CVE-2022-35930
2022-08-04 22:15:08
nvd
nvd
CVE-2022-35930
2022-08-04 22:15:08
cvelist
cvelist
veracode
veracode
Supply Chain Attack
2022-08-05 19:34:28
osv
osv
PolicyController before 0.2.1 may bypass attestation verification
2022-08-10 18:38:16
CVE-2022-35930
2022-08-04 22:15:08
prion
prion
Design/Logic Flaw
2022-08-04 22:15:00
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
55.9%
Related for GHSA-739F-HW6H-7WQ8