23 matches found
EUVD-2024-3375
Malicious code in bioql PyPI...
EUVD-2024-3484
Malicious code in bioql PyPI...
CVE-2024-54140
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...
CVE-2024-53267
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...
Improper Input Validation
dev.sigstore, sigstore-java is vulnerable to Improper Input Validation. The vulnerability is due to insufficient verification in the KeylessVerifier.verify method, which fails to properly validate whether the inclusion proof provided by a bundle corresponds to the correct log, allows an attacker ...
GHSA-JP26-88MW-89QR sigstore-java has a vulnerability with bundle verification
Summary sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. Impact This bug impacts clients using any variation of KeylessVerifier.verify Currently checkpoints are only used to ensure the root hash of an inclusion proof was...
dev.sigstore:sigstore-maven-plugin (>=0.4.0 <=1.1.0), hboutemy:sigstore-maven-plugin (=1.0.0-beta-3) +3 more potentially affected by CVE-2024-54140 via dev.sigstore:sigstore-java (>=0.11.0 <=1.1.0)
dev.sigstore:sigstore-java MAVEN version =0.11.0, =0.4.0, =2.0.2, =2.0.3, =2.0.4 Source cves: CVE-2024-54140 Source advisory: OSV:GHSA-JP26-88MW-89QR...
CVE-2024-54140
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...
CVE-2024-54140 sigstore-java has a vulnerability with bundle verification
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...
CVE-2024-54140 sigstore-java has a vulnerability with bundle verification
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...
CVE-2024-54140 sigstore-java has a vulnerability with bundle verification
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify. Currently...
CVE-2024-54140
CVE-2024-54140 : sigstore-java has insufficient verification in KeylessVerifier.verify(), allowing a bundle to provide an invalid signature for a checkpoint and potentially an inclusion proof that doesn’t match the intended log. Impact is described as low for non-monitor/witness clients; fixes ar...
sigstore-java 输入验证错误漏洞
sigstore-java is a sigstore open source sigstore java client for interacting with the sigstore infrastructure. An input validation error vulnerability exists in versions of sigstore-java prior to 1.2.0, which stems from an inability to adequately validate a user if they provide an invalid signatu...
CVE-2024-53267
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...
CVE-2024-53267 Vulnerability with bundle verification in sigstore-java
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...
CVE-2024-53267
sigstore-java (the Java client) is affected by a vulnerability where KeylessVerifier.verify() may accept a validly-signed but mismatched bundle as proof of inclusion in a transparency log. The log-entry could be unrelated to the artifact, allowing a bundle to appear logged without proof the signi...
CVE-2024-53267 Vulnerability with bundle verification in sigstore-java
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...
CVE-2024-53267 Vulnerability with bundle verification in sigstore-java
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation...
GHSA-Q4XM-6FJC-5F6W sigstore-java has vulnerability with bundle verification
Summary sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log Impact This bug impacts clients using any variation of KeylessVerifier.verify The verifier may accept a bundle with an...
dev.sigstore:sigstore-maven-plugin (=1.0.0), org.apache.maven.resolver:maven-resolver-generator-sigstore (>=2.0.2 <=2.0.4) +1 more potentially affected by CVE-2024-53267 via dev.sigstore:sigstore-java (=1.0.0)
dev.sigstore:sigstore-java MAVEN version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on dev.sigstore:sigstore-java and may be impacted: - dev.sigstore:sigstore-maven-plugin =1.0.0 - org.apache.maven.resolver:maven-resolver-generator-sigstore...