Maven package
dev.sigstore/sigstore-java
pkg:maven/dev.sigstore/sigstore-java
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-54140 | Low | — | < 1.2.0 | 1.2.0 | Dec 5, 2024 | sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify() | |
| CVE-2024-53267 | Med | 5.5 | >= 1.0.0, < 1.1.0 | 1.1.0 | Nov 26, 2024 | sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients us |
- affected < 1.2.0fixed 1.2.0
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify()
- affected >= 1.0.0, < 1.1.0fixed 1.1.0
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients us