Main Vulnerability Database SB2022021849

SB2022021849 - Insufficient verification of data authenticity in Cosign

Published: February 18, 2022 Updated: April 25, 2026

Security Bulletin ID SB2022021849

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2022-23649)

The vulnerability allows a remote user to falsely claim that a signature entry exists in the Rekor transparency log.

The vulnerability exists due to improper verification of Rekor bundle data in cosign signature verification when processing signatures stored in OCI. A remote user can modify the signature image annotations and push the altered signature back to OCI to falsely claim that a signature entry exists in the Rekor transparency log.

Exploitation requires pull and push permissions for the signature in OCI. In keyless signing scenarios, the copied bundle must come from another signature created during the certificate validity period.

Remediation

Install update from vendor's website.

References

https://github.com/sigstore/cosign/security/advisories/GHSA-ccxc-vr6p-4858