2 matches found
CVE-2026-39984
CVE-2026-39984 – Sigstore Timestamp Authority (tsa/timestamp-authority/v2/pkg/verification) : Versions 2.0.5 and earlier contain an authorization bypass in VerifyTimestampResponse. The code validates the certificate chain correctly but applies TSA-specific constraints using the first non-CA certi...
CVE-2025-66564
Sigstore Timestamp Authority contains a vulnerability (CVE-2025-66564) where ParseJSONRequest and getContentType allocate O(n) bytes when handling untrusted input (an OID with many periods or a malformed Content-Type header). The issue is triggered by using strings.Split on untrusted data, leadin...