What is the impact of GHSA-xvrc-2wvh-49vc?

In certain versions of gitsign, Rekor public keys were fetched via the Rekor API instead of through the local TUF client, potentially allowing incorrect signatures to be trusted if the upstream Rekor server is compromised.

How can GHSA-xvrc-2wvh-49vc affect gitsign clients?

GHSA-xvrc-2wvh-49vc can potentially trick gitsign clients into trusting incorrect signatures if the upstream Rekor server is compromised.

What is the severity of GHSA-xvrc-2wvh-49vc?

The severity of GHSA-xvrc-2wvh-49vc is medium with a severity value of 4.2.

Which version of gitsign is affected by GHSA-xvrc-2wvh-49vc?

Versions between 0.6.0 (inclusive) and 0.8.0 (exclusive) of gitsign are affected by GHSA-xvrc-2wvh-49vc.

What is the Common Weakness Enumeration (CWE) ID for GHSA-xvrc-2wvh-49vc?

The Common Weakness Enumeration (CWE) ID for GHSA-xvrc-2wvh-49vc is 347.

Vulnerability/
GHSA-xvrc-2wvh-49vc

medium

4.2

CWE

347

14/11/2023

GHSA-xvrc-2wvh-49vc

First published: Tue Nov 14 2023(Updated: )

### Impact In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unlikely to be affected. ### Patches This was fixed in v0.8.0 via https://github.com/sigstore/gitsign/pull/399 ### Workarounds n/a ### References _Are there any links users can visit to find out more?_ https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model

Affected Software	Affected Version	How to fix
go/github.com/sigstore/gitsign	>=0.6.0<0.8.0	0.8.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the impact of GHSA-xvrc-2wvh-49vc?
In certain versions of gitsign, Rekor public keys were fetched via the Rekor API instead of through the local TUF client, potentially allowing incorrect signatures to be trusted if the upstream Rekor server is compromised.
How can GHSA-xvrc-2wvh-49vc affect gitsign clients?
GHSA-xvrc-2wvh-49vc can potentially trick gitsign clients into trusting incorrect signatures if the upstream Rekor server is compromised.
What is the severity of GHSA-xvrc-2wvh-49vc?
The severity of GHSA-xvrc-2wvh-49vc is medium with a severity value of 4.2.
Which version of gitsign is affected by GHSA-xvrc-2wvh-49vc?
Versions between 0.6.0 (inclusive) and 0.8.0 (exclusive) of gitsign are affected by GHSA-xvrc-2wvh-49vc.
What is the Common Weakness Enumeration (CWE) ID for GHSA-xvrc-2wvh-49vc?
The Common Weakness Enumeration (CWE) ID for GHSA-xvrc-2wvh-49vc is 347.

collector/github-advisory-latest
alias/GHSA-xvrc-2wvh-49vc
alias/CVE-2023-47122
collector/github-advisory
package-manager/go

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.