Sigstore Go Library Vulnerable to Denial of Service Attack
CVE-2024-45395

7.5HIGH

Key Information:

Vendor

Sigstore

Status
Sigstore-go
Vendor
CVE Published:
4 September 2024

What is CVE-2024-45395?

The sigstore-go library, used for Sigstore signing and verification, has a vulnerability that allows malicious actors to execute denial of service attacks. This occurs when a crafted Sigstore Bundle contains excessive verifiable data, leading to high CPU usage during the verification process. According to TUF's security model, this is categorized as an 'Endless data attack.' It can prevent verification from completing, thereby disrupting services that utilize sigstore-go for data verification. The vulnerability has been addressed in version 0.6.1 of sigstore-go, which imposes strict limits on the number of verifiable data structures that a bundle can contain. For users unable to upgrade immediately, implementing manual bundle validation to limit verifiable data might mitigate the risk until they can apply the recommended updates.

Affected Version(s)

sigstore-go < 0.6.1

References

https://github.com/sigstore/sigstore-go/security/advisori...
x_refsource_CONFIRM
https://github.com/sigstore/sigstore-go/commit/01e70e89e5...
x_refsource_MISC
https://github.com/sigstore/sigstore-go/blob/725e508ed493...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.