Improper Validation of Integrity Check Value Affecting github.com/slsa-framework/slsa-verifier/v2/verifiers package, versions <2.4.1
Threat Intelligence
Exploit maturity not defined.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMSLSAFRAMEWORKSLSAVERIFIERV2VERIFIERS-6052815
- published9 Nov 2023
- disclosed8 Nov 2023
- creditTrishank Karthik Kuppusamy
Introduced: 8 Nov 2023
CVE NOT AVAILABLE CWE-354 (opens in a new tab)How to fix?
Upgrade github.com/slsa-framework/slsa-verifier/v2/verifiers to version 2.4.1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value. An attacker can manipulate the npm's publish attestations signature by tampering with the payload of the attestation. This allows the attacker to associate a package with an arbitrary name and version that do not match what the user expects from the publish attestation. Furthermore, the package digest in the publish attestation need not match its counterpart in the provenance attestation. However, the attacker cannot associate the given package with an arbitrary source and builder that the user does not expect from the provenance attestation.