Improper Verification of Cryptographic Signature in Cosign

#VU67910 Improper Verification of Cryptographic Signature in Cosign

Published: 2022-10-04

Vulnerability identifier: #VU67910

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36056

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cosign
/

Vendor: Sigstore

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improper verification of signature when processing artifacts. A remote attacker can supply a specially crafted artifact and bypass the implemented blob verification process.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cosign: 0.1.0 - 1.11.1

External links
http://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25
http://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilitie sin Red Hat Advanced Cluster Security (RHACS)

SUSE update for cosign

Security restrictions bypass in Cosign