17 matches found
BIT-COSIGN-2026-39395 Cosign's verify-blob-attestation reports false positive when payload parsing fails
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...
EUVD-2026-19919
Cosign's verify-blob-attestation reports false positive when payload parsing fails...
Cosign's verify-blob-attestation reports false positive when payload parsing fails
Description cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For...
Missing Report of Error Condition
Overview Affected versions of this package are vulnerable to Missing Report of Error Condition in the verify-blob-attestation module when used without --check-claims flag. An attacker can cause the system to incorrectly report successful verification of attestations with malformed payloads or...
Missing Report of Error Condition
Overview github.com/sigstore/cosign/cmd/cosign/cli/verify is a package that aims to make signatures invisible infrastructure. Affected versions of this package are vulnerable to Missing Report of Error Condition in the verify-blob-attestation module when used without --check-claims flag. An...
Missing Report of Error Condition
Overview Affected versions of this package are vulnerable to Missing Report of Error Condition in the verify-blob-attestation module when used without --check-claims flag. An attacker can cause the system to incorrectly report successful verification of attestations with malformed payloads or...
DEBIAN-CVE-2026-39395
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...
UBUNTU-CVE-2026-39395
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...
CVE-2026-39395
CVE-2026-39395 affects Cosign prior to 3.0.6 and 2.6.3, where verify-blob-attestation could erroneously report a Verified OK result for attestations with malformed payloads or mismatched predicate types. The root causes differ by bundle format: old-format bundles had a logic flaw in error handlin...
CVE-2026-39395
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...
CVE-2026-39395 Cosign's verify-blob-attestation reports false positive when payload parsing fails
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...
CVE-2026-39395 Cosign's verify-blob-attestation reports false positive when payload parsing fails
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...
CVE-2026-39395
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures,...
SUSE CVE-2022-36056
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature
Summary A number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. Vulnerability 1: Bundle mismatch causes invalid verification. Summary A cosign bundle can be crafted to successfully verify a blob ev...
CVE-2022-36056
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...
Design/Logic Flaw
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First...