Insufficient verification of data authenticity in Cosign - CVE-2022-23649
Published: February 18, 2022 / Updated: April 25, 2026
Vulnerability identifier: #VU127930
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-23649
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cosign
Cosign
Software vendor:
Sigstore
Sigstore
Description
The vulnerability allows a remote user to falsely claim that a signature entry exists in the Rekor transparency log.
The vulnerability exists due to improper verification of Rekor bundle data in cosign signature verification when processing signatures stored in OCI. A remote user can modify the signature image annotations and push the altered signature back to OCI to falsely claim that a signature entry exists in the Rekor transparency log.
Exploitation requires pull and push permissions for the signature in OCI. In keyless signing scenarios, the copied bundle must come from another signature created during the certificate validity period.
Remediation
Install security update from vendor's website.