2 matches found
Improper Verification of Cryptographic Signature
Overview @sigstore/cli is a Sigstore CLI Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the certificateOIDs option being accepted by the public API but discarded before verification, resulting in required certificate extension OIDs neve...
GHSA-52V5-JR5W-GJXR sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
Summary The documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked. Details The public verify options include certificateOIDs and the documentation says those OID/value pairs...