3 matches found
CVE-2022-23649
Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and...
CVE-2022-23649
Summary: CVE-2022-23649 affects Cosign prior to 1.5.2, where an attacker with pull and push access to an OCI-stored signature can manipulate Cosign to falsely claim a Rekor entry exists. The root cause is improper verification of the Rekor bundle versus the signature during verification; the patc...
CVE-2022-23649 Improper Certificate Validation in Cosign
Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and...