VYPR

Sigstore

by Sigstore

gem: sigstore

Source repositories

CVEs (3)

  • CVE-2026-24137MedJan 23, 2026
    risk 0.31cvss 5.8epss 0.00

    sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target…

  • CVE-2026-31830Mar 10, 2026
    risk 0.00cvss epss 0.00

    sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the…

  • CVE-2024-45395Sep 4, 2024
    risk 0.00cvss epss 0.00

    sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed…