15 matches found
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index through the CertVerifier.Verify function. An attacker can cause the process to panic and exit with a success code by providing a CMS/PKCS7 signed message containing an empty certificate set, which lead...
Improper Validation of Array Index
Overview Affected versions of this package are vulnerable to Improper Validation of Array Index through the CertVerifier.Verify function. An attacker can cause the process to panic and exit with a success code by providing a CMS/PKCS7 signed message containing an empty certificate set, which lead...
CVE-2026-44310 gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with...
CVE-2026-44310
CVE-2026-44310 (gitsign) : In CertVerifier.Verify(), after GetCertificates(), the code dereferences certs[0] without validating the slice length. A CMS/PKCS7 message can have an empty certificate set, causing an index-out-of-range panic. When invoked via the gitsign --verify path (git verify-comm...
EUVD-2026-30564
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with...
CVE-2026-44310 gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with...
Gitsign 输入验证错误漏洞
Gitsign is a tool developed by Gitsign’s developers that allows for signing Git commits without the need for a key. Versions of Gitsign from 0.4.0 to 0.15.0 contained a vulnerability related to input validation errors. This vulnerability stemmed from the CertVerifier.Verify method, which...
GHSA-7C37-GX6W-8VC5 gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers
Summary CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates returns an empty slice with no error,...
PT-2026-39244
Name of the Vulnerable Software and Affected Versions Gitsign versions 0.4.0 through 0.14.x Description In the CertVerifier.Verify function within pkg/git/verifier.go, the software unconditionally dereferences the first element of a certificate slice certs0 after calling sd.GetCertificates withou...
Linux Distros Unpatched Vulnerability : CVE-2011-3024
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service application crash via an empty X.509 certificate. CVE-2011-3024 Note that...
EulerOS 2.0 SP11 : nss (EulerOS-SA-2025-1936)
According to the versions of the nss packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is...
Linux Distros Unpatched Vulnerability : CVE-2022-22747
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to...
SUSE CVE-2011-3024
Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service application crash via an empty X.509 certificate...
UBUNTU-CVE-2011-3024
Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service application crash via an empty X.509 certificate...
CVE-2011-3024
Google Chrome before 17.0.963.56 allows remote attackers to cause a denial of service application crash via an empty X.509 certificate...