Lucene search
K

5 matches found

Github Security Blog
Github Security Blog
added 2026/03/11 12:24 a.m.10 views

sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

Summary Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardles...

7.5CVSS6AI score0.00217EPSS
Exploits0References4Affected Software1
RubySec
RubySec
added 2026/03/11 12:0 a.m.12 views

sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

Summary Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardles...

7.5CVSS6AI score0.00217EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/03/10 10:16 p.m.7 views

CVE-2026-31830

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

7.5CVSS0.00217EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/10 9:46 p.m.31 views

CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifierverify does not propagate the VerificationFailure returned by verifyintoto when the artifact digest does not match the digest in the in-toto attestation...

7.5CVSS0.00217EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.6 views

PT-2026-24484

Name of the Vulnerable Software and Affected Versions sigstore-ruby versions prior to 0.2.3 Description The software does not correctly handle verification failures when the artifact digest does not match the digest in the in-toto attestation subject. Specifically, the Sigstore::Verifierverify...

7.5CVSS5.8AI score0.00217EPSS
Exploits0References4
Rows per page
Query Builder