Insufficient Verification of Data Authenticity Affecting dev.sigstore:sigstore-java package, versions [,1.1.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-DEVSIGSTORE-8427783
  • published27 Nov 2024
  • disclosed26 Nov 2024
  • creditloosebazooka

Introduced: 26 Nov 2024

NewCVE-2024-53267  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade dev.sigstore:sigstore-java to version 1.1.0 or higher.

Overview

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity through the verify process. An attacker can manipulate the verification process by creating a mismatched bundle that passes cryptographic checks but is not actually associated with the artifact in question.

Note: sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality.

Workaround

Verifiers can recreate the log entry and compare it to the provided log entry or contact the log and discover if the artifact signing event has indeed been added to the log.

References

CVSS Scores

version 4.0
version 3.1