VYPR

Vendor CVEs

Sigstore

All CVEs

30 total · sorted by risk
  • CVE-2026-24137MedJan 23, 2026
    risk 0.31cvss 5.8epss 0.00

    sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target…

  • CVE-2024-53267MedNov 26, 2024
    risk 0.29cvss 5.5epss 0.00

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients…

  • CVE-2026-44310MedMay 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences certs[0] after sd.GetCertificates() without checking the slice length. A…

  • CVE-2026-44309MedMay 15, 2026
    risk 0.27cvss 5.3epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying…

  • CVE-2026-39395MedApr 7, 2026
    risk 0.21cvss 4.3epss 0.00

    Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and…

  • CVE-2024-55655LowDec 10, 2024
    risk 0.11cvss epss 0.00

    sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the…

  • CVE-2024-54140LowDec 5, 2024
    risk 0.07cvss epss 0.00

    sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of…

  • CVE-2024-51746LowNov 5, 2024
    risk 0.05cvss epss 0.00

    Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply…

  • CVE-2007-2232Apr 25, 2007
    risk 0.03cvss epss 0.02

    The CHECK command in Cosign 2.0.1 and earlier allows remote attackers to bypass authentication requirements via CR (\r) sequences in the cosign cookie parameter.

  • CVE-2007-2233Apr 25, 2007
    risk 0.03cvss epss 0.02

    cosign-bin/cosign.cgi in Cosign 2.0.2 and earlier allows remote authenticated users to perform unauthorized actions as an arbitrary user by using CR (\r) sequences in the service parameter to inject LOGIN and REGISTER commands with the desired username.

  • CVE-2026-31830Mar 10, 2026
    risk 0.00cvss epss 0.00

    sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the…

  • CVE-2026-24122Feb 19, 2026
    risk 0.00cvss epss 0.00

    Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the…

  • CVE-2026-24408Jan 26, 2026
    risk 0.00cvss epss 0.00

    sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the…

  • CVE-2026-24117Jan 22, 2026
    risk 0.00cvss epss 0.00

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the…

  • CVE-2026-23831Jan 22, 2026
    risk 0.00cvss epss 0.00

    Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil…

  • CVE-2026-22772Jan 12, 2026
    risk 0.00cvss epss 0.00

    Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal…

  • CVE-2026-22703Jan 10, 2026
    risk 0.00cvss epss 0.00

    Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When…

  • CVE-2025-66564Dec 4, 2025
    risk 0.00cvss epss 0.00

    Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits…

  • CVE-2025-66506Dec 4, 2025
    risk 0.00cvss epss 0.00

    Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in…

  • CVE-2024-45395Sep 4, 2024
    risk 0.00cvss epss 0.00

    sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to 0.6.1 when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed…

  • CVE-2024-29903Apr 10, 2024
    risk 0.00cvss epss 0.01

    Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The root cause is that Cosign…

  • CVE-2024-29902Apr 10, 2024
    risk 0.00cvss epss 0.01

    Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machine that rely on having memory…

  • CVE-2023-47122Nov 10, 2023
    risk 0.00cvss epss 0.00

    Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign…

  • CVE-2023-46737Nov 7, 2023
    risk 0.00cvss epss 0.01

    Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and cause Cosign to enter a long…

  • CVE-2023-33199May 26, 2023
    risk 0.00cvss epss 0.01

    Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client…

  • CVE-2023-30551May 8, 2023
    risk 0.00cvss epss 0.01

    Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can…

  • CVE-2022-36056Sep 14, 2022
    risk 0.00cvss epss 0.00

    Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should…

  • CVE-2022-35930Aug 4, 2022
    risk 0.00cvss epss 0.01

    PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid…

  • CVE-2022-35929Aug 4, 2022
    risk 0.00cvss epss 0.01

    cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one…

  • CVE-2022-23649Feb 18, 2022
    risk 0.00cvss epss 0.00

    Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't. This requires the attacker…