dev.sigstore:sigstore-java@0.5.0 vulnerabilities

  • latest version

    1.1.0

  • first published

    2 years ago

  • latest version published

    20 days ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the dev.sigstore:sigstore-java package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Improper Input Validation

    Affected versions of this package are vulnerable to Improper Input Validation through the KeylessVerifier.verify process. An attacker can manipulate the verification process by altering the checkpoint signature in the bundle.

    Note: sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality.

    How to fix Improper Input Validation?

    Upgrade dev.sigstore:sigstore-java to version 1.2.0 or higher.

    [,1.2.0)
    • M
    Insufficient Verification of Data Authenticity

    Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the verify process. An attacker can manipulate the verification process by creating a mismatched bundle that passes cryptographic checks but is not actually associated with the artifact in question.

    Note: sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality.

    How to fix Insufficient Verification of Data Authenticity?

    Upgrade dev.sigstore:sigstore-java to version 1.1.0 or higher.

    [,1.1.0)