Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/sigstore/rekor: CVE-2023-33199 #1797

Closed
GoVulnBot opened this issue May 26, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/sigstore/rekor: CVE-2023-33199 #1797

GoVulnBot opened this issue May 26, 2023 · 1 comment
Labels
duplicate

Comments

@GoVulnBot
Copy link

CVE-2023-33199 references github.com/sigstore/rekor, which may be a Go module.

Description:
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the intoto/v0.0.2 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This has been fixed in v1.2.0 of Rekor. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/sigstore/rekor
    packages:
      - package: rekor
description: |
    Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This has been fixed in v1.2.0 of Rekor. Users are advised to upgrade. There are no known workarounds for this vulnerability.
cves:
  - CVE-2023-33199
references:
  - advisory: https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr
  - fix: https://github.com/sigstore/rekor/commit/140c5add105179e5ffd9e3e114fd1b6b93aebbd4
@maceonthompson
Copy link

duplicate of #1795

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maceonthompson @GoVulnBot