2 matches found
CVE-2023-47122
Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could...
CVE-2014-1921
parcimonie before 0.8.1, when using a large keyring, sleeps for the same amount of time between fetches, which allows attackers to correlate key fetches via unspecified vectors...