Recent Vulnerabilities Research Posts Trends Blog About Contact

Published: 10/11/2023 Updated: 16/11/2023

CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6

VMScore: 0

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and before 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Vulnerable Product	Search on Vulmon	Subscribe to Product
sigstore gitsign

CWE-347 https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc https://github.com/sigstore/gitsign/pull/399 https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236 https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model https://nvd.nist.gov

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-47122

Vulnerability Summary

References

Vulmon Search

About

Products

Connect