GoogleOSV:GHSA-XVRC-2WVH-49VCGitsign's Rekor public keys fetched from upstream API instead of local TUF client.
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
6.8 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
22.0%
Impact
In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures.
There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unlikely to be affected.
Patches
This was fixed in v0.8.0 via https://github.com/sigstore/gitsign/pull/399
Workarounds
n/a
References
Are there any links users can visit to find out more?
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/sigstore/gitsign | lt | 0.8.0 | |
| github.com/sigstore/gitsign | ge | 0.6.0 |
References
docs.sigstore.dev/about/threat-model/#sigstore-threat-model
github.com/sigstore/gitsign
github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236
github.com/sigstore/gitsign/pull/399
github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
nvd.nist.gov/vuln/detail/CVE-2023-47122
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
6.8 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
22.0%