2 matches found
CVE-2024-53267 Vulnerability with bundle verification in sigstore-java
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...
CVE-2024-53267
sigstore-java (the Java client) is affected by a vulnerability where KeylessVerifier.verify() may accept a validly-signed but mismatched bundle as proof of inclusion in a transparency log. The log-entry could be unrelated to the artifact, allowing a bundle to appear logged without proof the signi...