CVE-2023-47122

2023-11-1022:15:14

CWE-347

[email protected]

web.nvd.nist.gov

gitsign

software

keyless

git signing

sigstore

vulnerability

incorrect signatures

rekor api

compromised

public keys

tuf client

rekor server

trusting

fix

version 0.8.0

sigstore.dev

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

0.001 Low

EPSS

Percentile

22.0%

JSON

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.