Lucene search
K

4 matches found

Snyk
Snyk
added 2026/07/01 7:58 p.m.6 views

Improper Verification of Cryptographic Signature

Overview sigstore is a code-signing for npm packages Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the certificateOIDs option being accepted by the public API but discarded before verification, resulting in required certificate extensi...

8.7CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/07/01 7:58 p.m.2 views

Improper Verification of Cryptographic Signature

Overview org.webjars.npm:sigstore is a code-signing for npm packages Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the certificateOIDs option being accepted by the public API but discarded before verification, resulting in required...

8.7CVSS5.9AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/01/26 9:34 p.m.6 views

aiogithubapi (=23.11.0), authsignal (=2.0.1) +17 more potentially affected by CVE-2026-24408 via sigstore (>=2.0.0rc3 <=3.6.7)

sigstore PYPI version =2.0.0rc3, =2026.5.21.dev103715, =1.50.0, =2.4.0, =3.3.0 - mcp-audit-scanner =0.1.0 - projectair =1.0.1 - pylock-attestations =0.0.1a2 and more Source cves: CVE-2026-24408 Source advisory: OSV:GHSA-HM8F-75XX-W2VR...

5CVSS5.7AI score0.00158EPSS
Exploits0
Veracode
Veracode
added 2024/12/17 10:20 a.m.8 views

Insufficient Validation Of Integration Time

sigstore is vulnerable to insufficient validation of integration time. The vulnerability is due to insufficient validation of the integration time in "v2" and "v3" bundles, which allows an attacker to modify the timestamp and cause the signature verification to fail. However, the attack does not...

6.9CVSS6.5AI score0.0024EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder