Lucene search
+L

17 matches found

NVD
NVD
added 4 days ago4 views

CVE-2026-48816

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries.integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind...

6.5CVSS0.00158EPSS
Exploits0References4
OSV
OSV
added 4 days ago5 views

CVE-2026-48816 sigstore-js: Insufficient Verification of Data Authenticity

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries.integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind...

6.5CVSS6.1AI score0.00158EPSS
Exploits0References6
OSV
OSV
added 2026/07/01 7:57 p.m.3 views

GHSA-XGJW-PM74-86Q4 sigstore-js has Insufficient Verification of Data Authenticity

sigstore-js derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only no signed inclusionPromise/set, and the inclusion proof path does not...

6.5CVSS5.8AI score0.00158EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/01 7:57 p.m.12 views

sigstore-js has Insufficient Verification of Data Authenticity

sigstore-js derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only no signed inclusionPromise/set, and the inclusion proof path does not...

6.5CVSS5.8AI score0.00158EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.7 views

PT-2026-55205

Name of the Vulnerable Software and Affected Versions sigstore-js versions prior to 3.1.1 Description The @sigstore/verify library incorrectly derives a transparency-log timestamp from the tlogEntries.integratedTime variable for bundle v0.2 inclusionProof-only entries. Because the inclusion proof...

6.5CVSS6.1AI score0.00158EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/06/10 12:0 a.m.18 views

Nimiq 数据伪造问题漏洞

Nimiq is an open-source implementation of the Albatross protocol in Rust. Versions of Nimiq prior to 1.4.0 had a data manipulation vulnerability. This vulnerability stems from a logical flaw in the BlockInclusionProof::isblockproven function, causing it to return true without performing any...

5.9CVSS5.2AI score0.0015EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/09 11:44 p.m.35 views

CVE-2026-46539 nimiq-primitives: BlockInclusionProof interlink issue when hops are empty

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::isblockproven causes the function to return true without performing any cryptographic verification when getinterlinkhops...

5.9CVSS0.0015EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/09 11:44 p.m.10 views

CVE-2026-46539 nimiq-primitives: BlockInclusionProof interlink issue when hops are empty

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::isblockproven causes the function to return true without performing any cryptographic verification when getinterlinkhops...

5.9CVSS5.4AI score0.0015EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/09 11:44 p.m.12 views

EUVD-2026-35880

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::isblockproven causes the function to return true without performing any cryptographic verification when getinterlinkhops...

5.9CVSS5.4AI score0.0015EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.11 views

PT-2026-42602

Impact A logic flaw in BlockInclusionProof::is block proven causes the function to return true without performing any cryptographic verification when get interlink hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election...

5.9CVSS5.8AI score
Exploits0References6
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-3484

Malicious code in bioql PyPI...

2.1CVSS6.3AI score0.00209EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/05/23 8:11 a.m.7 views

CVE-2024-54140

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...

2.1CVSS6.3AI score0.00209EPSS
Exploits0References1
Veracode
Veracode
added 2024/12/17 1:9 p.m.13 views

Improper Input Validation

dev.sigstore, sigstore-java is vulnerable to Improper Input Validation. The vulnerability is due to insufficient verification in the KeylessVerifier.verify method, which fails to properly validate whether the inclusion proof provided by a bundle corresponds to the correct log, allows an attacker ...

2.1CVSS6.9AI score0.00209EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2024/12/05 10:22 p.m.8 views

GHSA-JP26-88MW-89QR sigstore-java has a vulnerability with bundle verification

Summary sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. Impact This bug impacts clients using any variation of KeylessVerifier.verify Currently checkpoints are only used to ensure the root hash of an inclusion proof was...

2.1CVSS5.9AI score0.00209EPSS
Exploits0References5
NVD
NVD
added 2024/12/05 10:15 p.m.41 views

CVE-2024-54140

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...

2.1CVSS0.00209EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2024/12/05 10:8 p.m.12 views

CVE-2024-54140 sigstore-java has a vulnerability with bundle verification

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...

2.1CVSS7AI score0.00209EPSS
Exploits0References3
CVE
CVE
added 2024/12/05 10:8 p.m.65 views

CVE-2024-54140

CVE-2024-54140 : sigstore-java has insufficient verification in KeylessVerifier.verify(), allowing a bundle to provide an invalid signature for a checkpoint and potentially an inclusion proof that doesn’t match the intended log. Impact is described as low for non-monitor/witness clients; fixes ar...

2.1CVSS6.4AI score0.00209EPSS
Exploits0References3
Rows per page
Query Builder