Lucene search
GoogleOSV:GHSA-VJXV-45G9-9296HistoryAug 10, 2022 - 6:40 p.m.
cosign's `cosign verify-attestaton --type` can report a false positive if any attestation exists
2022-08-1018:40:38
Google
osv.dev
13
0.002 Low
EPSS
Percentile
64.2%
cosign verify-attestation used with the --type flag will report a false positive verification when:
- There is at least one attestation with a valid signature
- There are NO attestations of the type being verified (–type defaults to “custom”)
This can happen when signing with a standard keypair and with “keyless” signing with Fulcio. Users should upgrade to cosign version 1.10.1 or greater for a patch. Currently the only workaround is to upgrade.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/sigstore/cosign | lt | 1.10.1 |
Related
cve
cve
CVE-2022-35929
2022-08-04 19:15:00
cvelist
cvelist
CVE-2022-35929 False positive signature verification in cosign
2022-08-04 18:45:14
veracode
veracode
Insecure Signature Verification
2022-08-05 05:12:16
osv
osv
BIT-cosign-2022-35929
2024-03-06 10:51:23
CVE-2022-35929
2022-08-04 19:15:09
nessus
nessus
SUSE SLED15 / SLES15 Security Update : cosign (SUSE-SU-2022:2877-1)
2022-08-24 00:00:00
alpinelinux
alpinelinux
CVE-2022-35929
2022-08-04 19:15:00
prion
prion
Design/Logic Flaw
2022-08-04 19:15:00
openvas
openvas
openSUSE: Security Advisory for cosign (SUSE-SU-2022:2877-1)
2022-08-24 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:2877-1)
2022-08-24 00:00:00
suse
suse
Security update for cosign (important)
2022-08-23 00:00:00
github
github
redhatcve
redhatcve
CVE-2022-35929
2022-08-08 05:31:39