Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
CVE-2023-47122

4.2MEDIUM

Key Information:

Vendor

Sigstore

Status
Gitsign
Vendor
CVE Published:
10 November 2023

What is CVE-2023-47122?

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Affected Version(s)

gitsign >= 0.6.0, < 0.8.0

References

https://github.com/sigstore/gitsign/security/advisories/G...
x_refsource_CONFIRM
https://github.com/sigstore/gitsign/pull/399
x_refsource_MISC
https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.