VYPR

Maven package

dev.sigstore/sigstore-java

pkg:maven/dev.sigstore/sigstore-java

Vulnerabilities (2)

  • CVE-2024-54140LowDec 5, 2024
    affected < 1.2.0fixed 1.2.0

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify()

  • CVE-2024-53267MedNov 26, 2024
    affected >= 1.0.0, < 1.1.0fixed 1.1.0

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients us