Main Vulnerability Database SB2022080445

SB2022080445 - Input validation error in Cosign

Published: August 4, 2022 Updated: April 25, 2026

Security Bulletin ID SB2022080445

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: CVE-2022-35929)

The vulnerability allows a remote attacker to bypass attestation type verification.

The vulnerability exists due to improper input validation in cosign verify-attestation when verifying attestations with the --type flag. A remote attacker can provide an image with at least one validly signed attestation of a different type to bypass attestation type verification.

This occurs when no attestation of the requested type exists, and the command may incorrectly report successful verification if any valid attestation is present.

Remediation

Install update from vendor's website.

References

https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296