Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/sigstore/cosign: CVE-2022-23649 #326

Closed
GoVulnBot opened this issue Feb 18, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/sigstore/cosign: CVE-2022-23649 #326

GoVulnBot opened this issue Feb 18, 2022 · 2 comments
Assignees
@zpavlinovic @julieqiu
Labels
cve-year-2022 NeedsReport

Comments

@GoVulnBot
Copy link

In CVE-2022-23649, the reference URL github.com/sigstore/cosign (and possibly others) refers to something in Go.

module: github.com/sigstore/cosign
package: cosign
description: |
    Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing" with Fulcio. If an attacker has access to the signature in OCI, they can manipulate co#to believing the entry was stored in Rekor even though it wasn't. The vulnerability has been patched in v1.5.2 of Cosign. The `signature` in the `signedEntryTimestamp` provided by Rekor is now compared to the `signature` that is being verified. If these don't match, then an error is returned. If a valid bundle is copied to a different signature, verification should fail.  Cosign output now only informs the user that certificates were verified if a certificate was in fact verified. There is currently no known workaround.
cves:
  - CVE-2022-23649
links:
    commit: https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49
    context:
      - https://github.com/sigstore/cosign/security/advisories/GHSA-ccxc-vr6p-4858

See doc/triage.md for instructions on how to triage this report.
@julieqiu julieqiu self-assigned this Feb 22, 2022
@julieqiu
Copy link
Member

Vulnerability in tool

@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@GoVulnBot GoVulnBot mentioned this issue Nov 7, 2023
Closed
@zpavlinovic zpavlinovic reopened this Nov 8, 2023
@zpavlinovic zpavlinovic added NeedsReport and removed excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. labels Nov 8, 2023
@zpavlinovic zpavlinovic self-assigned this Nov 8, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/540897 mentions this issue: data/reports: add GO-2022-0326.yaml

This was referenced Apr 11, 2024
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@zpavlinovic zpavlinovic

@julieqiu julieqiu

Labels
cve-year-2022 NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @zpavlinovic @julieqiu @gopherbot @GoVulnBot