Main Vulnerability Database Vulnerabilities #VU127929

Input validation error in Cosign - CVE-2022-35929

Published: August 4, 2022 / Updated: April 25, 2026

Vulnerability identifier: #VU127929

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-35929

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Cosign

Software vendor:
Sigstore

Description

The vulnerability allows a remote attacker to bypass attestation type verification.

The vulnerability exists due to improper input validation in cosign verify-attestation when verifying attestations with the --type flag. A remote attacker can provide an image with at least one validly signed attestation of a different type to bypass attestation type verification.

This occurs when no attestation of the requested type exists, and the command may incorrectly report successful verification if any valid attestation is present.

Remediation

Install security update from vendor's website.

External links

https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296

Input validation error in Cosign - CVE-2022-35929

Description

Remediation

External links

Please verify you're human