Description
CVE-2022-36056 - Medium Severity Vulnerability
Vulnerable Library - github.com/sigstore/cosign-v1.0.1
Container Signing
Library home page: https://proxy.golang.org/github.com/sigstore/cosign/@v/v1.0.1.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
- ❌ github.com/sigstore/cosign-v1.0.1 (Vulnerable Library)
Found in HEAD commit: df1f7d3f67826e841793324e4796be4fbd91c00f
Found in base branch: main
Vulnerability Details
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.
Publish Date: 2022-09-14
URL: CVE-2022-36056
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Step up your Open Source Security Game with Mend here