4 matches found
Improper Verification of Cryptographic Signature
Overview sigstore is a code-signing for npm packages Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the certificateOIDs option being accepted by the public API but discarded before verification, resulting in required certificate extensi...
Improper Verification of Cryptographic Signature
Overview org.webjars.npm:sigstore is a code-signing for npm packages Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the certificateOIDs option being accepted by the public API but discarded before verification, resulting in required...
aiogithubapi (=23.11.0), authsignal (=2.0.1) +17 more potentially affected by CVE-2026-24408 via sigstore (>=2.0.0rc3 <=3.6.7)
sigstore PYPI version =2.0.0rc3, =2026.5.21.dev103715, =1.50.0, =2.4.0, =3.3.0 - mcp-audit-scanner =0.1.0 - projectair =1.0.1 - pylock-attestations =0.0.1a2 and more Source cves: CVE-2026-24408 Source advisory: OSV:GHSA-HM8F-75XX-W2VR...
Insufficient Validation Of Integration Time
sigstore is vulnerable to insufficient validation of integration time. The vulnerability is due to insufficient validation of the integration time in "v2" and "v3" bundles, which allows an attacker to modify the timestamp and cause the signature verification to fail. However, the attack does not...