14 matches found
CVE-2022-23649
Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and...
EUVD-2022-0958
Malicious code in bioql PyPI...
EUVD-2022-6632
Malicious code in bioql PyPI...
cosign 安全漏洞
cosign is a container signing, verification and storage in an OCI registry in the United States. A security vulnerability exists in versions prior to cosign 2.2.4 that stems from a remote image with a malicious attachment that could cause a denial of service on a host running Cosign...
BIT-COSIGN-2022-23649 Improper Certificate Validation in Cosign
Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and...
BIT-COSIGN-2022-35929 False positive signature verification in cosign
cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. cosign verify-attestation used with the --type flag will report a false positive verification when there is at least one attestation with a valid...
CVE-2022-35929 False positive signature verification in cosign
cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. cosign verify-attestation used with the --type flag will report a false positive verification when there is at least one attestation with a valid...
CVE-2022-35929
cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. cosign verify-attestation used with the --type flag will report a false positive verification when there is at least one attestation with a valid...
CVE-2022-35929
CVE-2022-35929 affects cosign prior to version 1.10.1. In cosign verify-attestation, using --type (default: custom) can yield a false positive when there is at least one attestation with a valid signature and no attestations of the type being verified. Repro example uses distroless image with a v...
CVE-2022-35929 False positive signature verification in cosign
cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. cosign verify-attestation used with the --type flag will report a false positive verification when there is at least one attestation with a valid...
cosign 数据伪造问题漏洞
cosign is a container signing, verification and storage in an OCI registry in the United States. A data forgery issue vulnerability exists in versions prior to cosign 1.10.1, which stems from the fact that the cosign verify-attestation --type may report a false positive if any attestation is...
Design/Logic Flaw
Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and...
CVE-2022-23649
Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and...
CVE-2022-23649
Summary: CVE-2022-23649 affects Cosign prior to 1.5.2, where an attacker with pull and push access to an OCI-stored signature can manipulate Cosign to falsely claim a Rekor entry exists. The root cause is improper verification of the Rekor bundle versus the signature during verification; the patc...