Input validation error in Cosign - CVE-2022-35929

 

Input validation error in Cosign - CVE-2022-35929

Published: August 4, 2022 / Updated: April 25, 2026


Vulnerability identifier: #VU127929
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-35929
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Sigstore
Affected software:
Cosign

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass attestation type verification.

The vulnerability exists due to improper input validation in cosign verify-attestation when verifying attestations with the --type flag. A remote attacker can provide an image with at least one validly signed attestation of a different type to bypass attestation type verification.

This occurs when no attestation of the requested type exists, and the command may incorrectly report successful verification if any valid attestation is present.


How to mitigate CVE-2022-35929

Install security update from vendor's website.

Sources