VYPR
Vendor

Sigstore

Products
9
CVEs
30
Across products
30
Status
Private

Products

9

Recent CVEs

30
View all 30 CVEs →
  • CVE-2026-24137MedJan 23, 2026
    risk 0.31cvss 5.8epss 0.00

    sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target…

  • CVE-2024-53267MedNov 26, 2024
    risk 0.29cvss 5.5epss 0.00

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients…

  • CVE-2026-44310MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences certs[0] after sd.GetCertificates() without checking the slice length. A…

  • CVE-2026-44309MedMay 15, 2026
    risk 0.27cvss 5.3epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying…

  • CVE-2026-39395MedApr 7, 2026
    risk 0.21cvss 4.3epss 0.00

    Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and…

  • CVE-2024-55655LowDec 10, 2024
    risk 0.11cvss epss 0.00

    sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the…

  • CVE-2024-54140LowDec 5, 2024
    risk 0.07cvss epss 0.00

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of…

  • CVE-2024-51746LowNov 5, 2024
    risk 0.05cvss epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply…

  • CVE-2007-2232Apr 25, 2007
    risk 0.03cvss epss 0.02

    The CHECK command in Cosign 2.0.1 and earlier allows remote attackers to bypass authentication requirements via CR (\r) sequences in the cosign cookie parameter.

  • CVE-2007-2233Apr 25, 2007
    risk 0.03cvss epss 0.02

    cosign-bin/cosign.cgi in Cosign 2.0.2 and earlier allows remote authenticated users to perform unauthorized actions as an arbitrary user by using CR (\r) sequences in the service parameter to inject LOGIN and REGISTER commands with the desired username.

  • CVE-2026-31830Mar 10, 2026
    risk 0.00cvss epss 0.00

    sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the…

  • CVE-2026-24122Feb 19, 2026
    risk 0.00cvss epss 0.00

    Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the…

  • CVE-2026-24408Jan 26, 2026
    risk 0.00cvss epss 0.00

    sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the…

  • CVE-2026-24117Jan 22, 2026
    risk 0.00cvss epss 0.00

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the…

  • CVE-2026-23831Jan 22, 2026
    risk 0.00cvss epss 0.00

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil…

  • CVE-2026-22772Jan 12, 2026
    risk 0.00cvss epss 0.00

    Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal…

  • CVE-2026-22703Jan 10, 2026
    risk 0.00cvss epss 0.00

    Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When…

  • CVE-2025-66564Dec 4, 2025
    risk 0.00cvss epss 0.00

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits…

  • CVE-2025-66506Dec 4, 2025
    risk 0.00cvss epss 0.00

    Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in…

  • CVE-2024-45395Sep 4, 2024
    risk 0.00cvss epss 0.00

    sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed…