Lucene search

Veracode Vulnerability DatabaseVERACODE:44246

HistoryNov 13, 2023 - 7:25 a.m.

Improper Verification Of Cryptographic Signature

2023-11-1307:25:51

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

github

sigstore

gitsign

vulnerability

cryptographic signature

verification

rekor server

compromise

api

tuf client

validation

lack of validation

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.0%

JSON

github.com/sigstore/gitsign is vulnerable to Improper Verification Of Cryptographic Signature. The vulnerability is applicable in the case where a Rekor server is compromised, as gitsign directly fetches public keys via the API without TUF client validations. This leads to lack of validation and verification layers that a TUF client would provide.

CPENameOperatorVersion
github.com/sigstore/gitsignlev0.7.1
github.com/sigstore/gitsignlev0.7.1

CPE	Name	Operator	Version
	github.com/sigstore/gitsign	le	v0.7.1
	github.com/sigstore/gitsign	le	v0.7.1

References

docs.sigstore.dev/about/threat-model/#sigstore-threat-model

github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236

github.com/sigstore/gitsign/pull/399

github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.0%

JSON

Related for VERACODE:44246