CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
21.8%
In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures.
There is no known compromise the default public good instance (rekor.sigstore.dev
) - anyone using this instance is unlikely to be affected.
This was fixed in v0.8.0 via https://github.com/sigstore/gitsign/pull/399
n/a
Are there any links users can visit to find out more?
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
docs.sigstore.dev/about/threat-model/#sigstore-threat-model
github.com/advisories/GHSA-xvrc-2wvh-49vc
github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236
github.com/sigstore/gitsign/pull/399
github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
nvd.nist.gov/vuln/detail/CVE-2023-47122
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
21.8%