Lucene search

PRIOn knowledge basePRION:CVE-2023-47122

HistoryNov 10, 2023 - 10:15 p.m.

Design/Logic Flaw

2023-11-1022:15:00

PRIOn knowledge base

www.prio-n.com

gitsign

git signing

sigstore

rekor api

tuf client

compromised server

incorrect signatures

public good instance

vulnerability

nvd

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.0%

JSON

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

CPENameOperatorVersion
gitsignge0.6.0
gitsignlt0.8.0

CPE	Name	Operator	Version
	gitsign	ge	0.6.0
	gitsign	lt	0.8.0

References

docs.sigstore.dev/about/threat-model/

github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236

github.com/sigstore/gitsign/pull/399

github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc