sigstore-java 安全漏洞

sigstore-java is a sigstore open source sigstore java client for interacting with sigstore infrastructure. A security vulnerability exists in sigstore-java that stems from sigstore-java's inability to adequately verify that validly signed but mismatched bundles are included in transparent logs...

cosign 数据伪造问题漏洞

cosign is a container signing, verification and storage in an OCI registry in the United States. A data forgery issue vulnerability exists in cosign versions prior to 1.12.0 that stems from Bundle mismatches leading to invalid validation, not checking certificate identity in some cases, invalid...