GitHub Advisory DatabaseGHSA-XVRC-2WVH-49VCGitsign's Rekor public keys fetched from upstream API instead of local TUF client.
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
21.8%
Impact
In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures.
There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unlikely to be affected.
Patches
This was fixed in v0.8.0 via https://github.com/sigstore/gitsign/pull/399
Workarounds
n/a
References
Are there any links users can visit to find out more?
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
Affected configurations
References
docs.sigstore.dev/about/threat-model/#sigstore-threat-model
github.com/advisories/GHSA-xvrc-2wvh-49vc
github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236
github.com/sigstore/gitsign/pull/399
github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
nvd.nist.gov/vuln/detail/CVE-2023-47122
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
21.8%