Skip to content

Commit

Permalink
data/reports: add GO-2022-0326.yaml
Browse files Browse the repository at this point in the history 
Aliases: CVE-2022-23649, GHSA-ccxc-vr6p-4858

Fixes #326

Change-Id: I3a136ad5ea76cce6aff198acf8317345e841b9ac
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/540897
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Cesar Alberto De oliveira <[email protected]>
Run-TryBot: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
  • Loading branch information
@zpavlinovic
zpavlinovic committed Nov 9, 2023
1 parent 4ced7d0 commit bcaf600
Show file tree
Hide file tree
Showing 3 changed files with 113 additions and 8 deletions.
8 changes: 0 additions & 8 deletions data/excluded/GO-2022-0326.yaml
View file

This file was deleted.

75 changes: 75 additions & 0 deletions data/osv/GO-2022-0326.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
{
"schema_version": "1.3.1",
"id": "GO-2022-0326",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2022-23649",
"GHSA-ccxc-vr6p-4858"
],
"summary": "Improper certificate validation in github.com/sigstore/cosign",
"details": "Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and \"keyless signing\" with Fulcio certificate authority.",
"affected": [
{
"package": {
"name": "github.com/sigstore/cosign",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/sigstore/cosign/pkg/cosign",
"symbols": [
"VerifyBundle",
"VerifyImageAttestations",
"VerifyImageSignature",
"VerifyImageSignatures",
"VerifyLocalImageAttestations",
"VerifyLocalImageSignatures"
]
},
{
"path": "github.com/sigstore/cosign/pkg/sget",
"symbols": [
"SecureGet.Do"
]
},
{
"path": "github.com/sigstore/cosign/cmd/cosign/cli/verify",
"symbols": [
"PrintVerificationHeader",
"VerifyAttestationCommand.Exec",
"VerifyCommand.Exec"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49"
},
{
"type": "WEB",
"url": "https://github.com/sigstore/cosign/releases/tag/v1.5.2"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0326"
}
}
38 changes: 38 additions & 0 deletions data/reports/GO-2022-0326.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
id: GO-2022-0326
modules:
- module: github.com/sigstore/cosign
versions:
- fixed: 1.5.2
vulnerable_at: 1.5.1
packages:
- package: github.com/sigstore/cosign/pkg/cosign
symbols:
- VerifyBundle
derived_symbols:
- VerifyImageAttestations
- VerifyImageSignature
- VerifyImageSignatures
- VerifyLocalImageAttestations
- VerifyLocalImageSignatures
- package: github.com/sigstore/cosign/pkg/sget
symbols:
- SecureGet.Do
- package: github.com/sigstore/cosign/cmd/cosign/cli/verify
symbols:
- VerifyAttestationCommand.Exec
- VerifyCommand.Exec
- PrintVerificationHeader
summary: Improper certificate validation in github.com/sigstore/cosign
description: |-
Cosign can be manipulated to claim that an entry for a signature in the OCI
registry exists in the Rekor transparency log even if it does not. This requires
the attacker to have pull and push permissions for the signature in OCI. This
can happen with both standard signing with a keypair and "keyless signing" with
Fulcio certificate authority.
cves:
- CVE-2022-23649
ghsas:
- GHSA-ccxc-vr6p-4858
references:
- fix: https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49
- web: https://github.com/sigstore/cosign/releases/tag/v1.5.2

0 comments on commit bcaf600

Please sign in to comment.