Lucene search
+L

GHSA-VJXV-45G9-9296 cosign's `cosign verify-attestaton --type` can report a false positive if any attestation exists

🗓️ 10 Aug 2022 18:40:38Reported by GoogleType 
osv
 osv
🔗 osv.dev👁 21 Views

Cosign verify-attestation reports false positive with --type flag if valid signature exists and no attestations of the specific type; Vulnerable to standard and "keyless" signing with Fulcio; Upgrade to cosign version 1.10.1 or greater for patch

Related
Refs

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Dec 2023 01:02Current
8High risk
Vulners AI Score8
CVSS 3.17.1
EPSS0.00551
21