Ability to bypass attestation verification in sigstore PolicyController
Description
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sigstore/policy-controllerGo | < 0.2.1 | 0.2.1 |
Affected products
4- osv-coords3 versionspkg:apk/chainguard/policy-controller-fipspkg:apk/chainguard/policy-controller-tester-fipspkg:golang/github.com/sigstore/policy-controller
< 0+ 2 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.2.1
- Range: < 0.2.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-739f-hw6h-7wq8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-35930ghsaADVISORY
- github.com/sigstore/policy-controller/commit/e852af36fb7d42678b21d7e97503c25bd1fd05c8ghsax_refsource_MISCWEB
- github.com/sigstore/policy-controller/releases/tag/v0.2.1ghsax_refsource_MISCWEB
- github.com/sigstore/policy-controller/security/advisories/GHSA-739f-hw6h-7wq8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.