Improper Verification of Cryptographic Signature Affecting github.com/sigstore/gitsign/internal/commands/root package, versions >=0.6.0 <0.8.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMSIGSTOREGITSIGNINTERNALCOMMANDSROOT-6056190
  • published13 Nov 2023
  • disclosed10 Nov 2023
  • creditadityasaky

Introduced: 10 Nov 2023

CVE-2023-47122  (opens in a new tab)
CWE-347  (opens in a new tab)

How to fix?

Upgrade github.com/sigstore/gitsign/internal/commands/root to version 0.8.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the Rekor API. If the upstream Rekor server is compromised, gitsign clients can be tricked into trusting incorrect signatures.

Note: The default public good instance rekor.sigstore.dev is not known to be compromised. Anyone using this instance is unlikely to be affected.

CVSS Scores

version 3.1