3 matches found
CVE-2024-53267
sigstore-java (the Java client) is affected by a vulnerability where KeylessVerifier.verify() may accept a validly-signed but mismatched bundle as proof of inclusion in a transparency log. The log-entry could be unrelated to the artifact, allowing a bundle to appear logged without proof the signi...
CVE-2024-53267 Vulnerability with bundle verification in sigstore-java
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...
dev.sigstore:sigstore-maven-plugin (=1.0.0), org.apache.maven.resolver:maven-resolver-generator-sigstore (>=2.0.2 <=2.0.4) +1 more potentially affected by CVE-2024-53267 via dev.sigstore:sigstore-java (=1.0.0)
dev.sigstore:sigstore-java MAVEN version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on dev.sigstore:sigstore-java and may be impacted: - dev.sigstore:sigstore-maven-plugin =1.0.0 - org.apache.maven.resolver:maven-resolver-generator-sigstore...