SUSE CVE-2026-48501

GitHub CLI gh is GitHub's official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

CVE-2025-64186

Evervault is a payment security solution. A vulnerability was identified in the evervault-go SDK’s attestation verification logic in versions of evervault-go prior to 1.3.2 that may allow incomplete documents to pass validation. This may cause the client to trust an enclave operator that does not...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via incomplete validation of attestation documents in the attestation verification process. An attacker can cause clients to trust enclaves that do not meet expected integrity guarantees ...

Missing Critical Step in Authentication

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the WebAuthn Attestation Statement verification. An attacker can...

CVE-2025-62375 go-witness Improper Verification of AWS EC2 Identity Documents

go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is not present or is...

CVE-2025-27839

operations/attestation/AttestationTask.kt in the Tangem SDK before 5.18.3 for Android has a logic flow in offline wallet attestation genuineness check that causes verification results to be disregarded during the first scan of a card. Exploitation may not have been possible...

CVE-2025-25204 `gh attestation verify` returns incorrect exit code during verification if no attestations are present

gh is GitHub’s official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool gh attestation verify causes it to return a zero exit status when no attestations are present. This behavior is incorrect:...

openSUSE 15 Security Update : gh (openSUSE-SU-2024:0227-1)

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2024:0227-1 advisory. Update to version 2.53.0: CVE-2024-6104: gh: hashicorp/go-retryablehttp: url might write sensitive information to log file boo1227035 Disable...

openSUSE Security Advisory (openSUSE-SU-2024:0227-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

OPENSUSE-SU-2024:0227-1 Security update for gh

This update for gh fixes the following issues: Update to version 2.53.0: CVE-2024-6104: gh: hashicorp/go-retryablehttp: url might write sensitive information to log file boo1227035 Disable TestGetTrustedRoot/successfullyverifiesTUFroot test due to https://github.com/cli/cli/issues/8928 Rename...

OPENSUSE-SU-2024:0226-1 Security update for gh

This update for gh fixes the following issues: Update to version 2.53.0: CVE-2024-6104: gh: hashicorp/go-retryablehttp: url might write sensitive information to log file boo1227035 Disable TestGetTrustedRoot/successfullyverifiesTUFroot test due to https://github.com/cli/cli/issues/8928 Rename...

AZL-42985 CVE-2024-29040 affecting package tpm2-tss for versions less than 2.4.6-4

This repository hosts source code implementing the Trusted Computing Group's TCG TPM2 Software Stack TSS. The JSON Quote Info returned by FapiQuote has to be deserialized by FapiVerifyQuote to the TPM Structure TPMSATTEST. For the field TPM2GENERATED magic of this structure any number can be used...

SUSE-SU-2022:2877-1 Security update for cosign

This update for cosign fixes the following issues: - Updated to 1.10.1 jscSLE-23879: - CVE-2022-35929: Fixed an issue where cosign verify-attestation --type could report false positives when there was at least one attestation with a valid signature and there were no attestations of the type being...

PolicyController before 0.2.1 may bypass attestation verification

PolicyController will report a false positive, resulting in an admission when it should not be admitted when: There is at least one attestation with a valid signature There are NO attestations of the type being verified --type defaults to "custom" Users should upgrade to cosign version 0.2.1 or...

GHSA-739F-HW6H-7WQ8 PolicyController before 0.2.1 may bypass attestation verification

PolicyController will report a false positive, resulting in an admission when it should not be admitted when: There is at least one attestation with a valid signature There are NO attestations of the type being verified --type defaults to "custom" Users should upgrade to cosign version 0.2.1 or...

CVE-2022-35929

A flaw was found in the cosign package. The cosign verify-attestation used with the --type flag will report a false positive verification when there is at least one attestation with a valid signature and when there are no attestations of the type being verified for example, —type defaults to...

CVE-2022-35930 Ability to bypass attestation verification in sigstore PolicyController

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are ...

CVE-2022-35930 Ability to bypass attestation verification in sigstore PolicyController

PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are ...