Lucene search
Redhat.comRH:CVE-2022-35929HistoryAug 08, 2022 - 5:31 a.m.
CVE-2022-35929
2022-08-0805:31:39
redhat.com
access.redhat.com
18
0.002 Low
EPSS
Percentile
64.2%
A flaw was found in the cosign package. The cosign verify-attestation used with the --type flag will report a false positive verification when there is at least one attestation with a valid signature and when there are no attestations of the type being verified (for example, —type defaults to “custom”). This issue can happen when signing with a standard keypair and keyless signing with Fulcio.
Related
cve
cve
CVE-2022-35929
2022-08-04 19:15:00
prion
prion
Design/Logic Flaw
2022-08-04 19:15:00
openvas
openvas
openSUSE: Security Advisory for cosign (SUSE-SU-2022:2877-1)
2022-08-24 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:2877-1)
2022-08-24 00:00:00
osv
osv
cosign's `cosign verify-attestaton --type` can report a false positive if any attestation exists
2022-08-10 18:40:38
BIT-cosign-2022-35929
2024-03-06 10:51:23
nessus
nessus
SUSE SLED15 / SLES15 Security Update : cosign (SUSE-SU-2022:2877-1)
2022-08-24 00:00:00
alpinelinux
alpinelinux
CVE-2022-35929
2022-08-04 19:15:00
veracode
veracode
Insecure Signature Verification
2022-08-05 05:12:16
cvelist
cvelist
CVE-2022-35929 False positive signature verification in cosign
2022-08-04 18:45:14
suse
suse
Security update for cosign (important)
2022-08-23 00:00:00
github
github