476 matches found
CVE-2026-49834 sigstore-go: Multi-log threshold bypass via single compromised log
sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised...
CVE-2026-49834
Technical details about CVE-2026-49834 are not publicly available in the provided connected documents. Monitor for updates.
CVE-2026-49834 sigstore-go: Multi-log threshold bypass via single compromised log
sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised...
CVE-2026-49835
CVE-2026-49835 affects Sigstore Timestamp Authority. The issue arises from the legacy wrapMetrics middleware, which records raw HTTP path and method as Prometheus labels for latency and request count, enabling an unauthenticated attacker to issue requests with arbitrary paths/methods and create u...
CVE-2026-49835 Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...
CVE-2026-48758
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature...
CVE-2026-48815
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...
CVE-2026-48816 sigstore-js: Insufficient Verification of Data Authenticity
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries.integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind...
CVE-2026-48816
CVE-2026-48816 affects sigstore-js, where prior to version 3.1.1 the verification logic in @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries, even though the inclusion proof path does not cryptographically bind inte...
CVE-2026-48816 sigstore-js: Insufficient Verification of Data Authenticity
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries.integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind...
CVE-2026-48758
CVE-2026-48758 affects sigstore-js with a flaw in the preAuthEncoding function in @sigstore/core: it uses Node.js ASCII encoding when converting PAE strings to bytes, allowing payloadType to be mutated after signing without invalidating the DSSE signature. The issue is fixed in @sigstore/core ver...
CVE-2026-48758 sigstore-js: DSSE payloadType type-binding failure
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature...
CVE-2026-48758 sigstore-js: DSSE payloadType type-binding failure
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.2.1, the preAuthEncoding function in @sigstore/core uses Node.js ascii encoding when converting the PAE string to bytes, allowing payloadType to be mutated after signing without invalidating the signature...
CVE-2026-48815 sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...
CVE-2026-48815
Summary of CVE-2026-48815 : In sigstore-js, the documented certificateOIDs option in sigstore.verify() is accepted by the public API before verification but discarded during verification, causing certificate extension OIDs to not be checked. This allows applications to accept unauthorized certifi...
CVE-2026-48815 sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications...
CVE-2026-59891
The CVE-2026-59891 entry concerns sigstore-js prior to 0.7.1. getRegistryCredentials() reads Docker config credentials and selects an entry by substring match of the target registry, which can cause credentials for one registry to be sent to a different registry whose hostname has a matching subs...
CVE-2026-59891 Credential confusion in @sigstore/oci can leak registry credentials to an attacker-controlled registry
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring...
CVE-2026-48815
A flaw was found in sigstore. The certificateOIDs option, intended to restrict which certificates can sign artifacts, is accepted by the public application programming interface API but is not used during the verification process. This allows unauthorized certificates to be accepted, bypassing...
CVE-2026-49835
A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of...