CVE-2024-51746 – github.com/sigstore/gitsign
Package
Manager: go
Name: github.com/sigstore/gitsign
Vulnerable Version: >=0 <0.11.0
Severity
Level: Low
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:U/RC:C
CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
EPSS: 0.00024 pctl0.04868
Details
gitsign may use incorrect Rekor entries during verification ### Summary gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. ### Details gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match _either_ condition rather than _both_. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. ### PoC Enable the credential cache and create commit signatures using the cached signing certificate. `gitsign verify` or `git log --show-signature` will demonstrate the use of the wrong entry index for the corresponding commit. Note that this depends on the order of matching entries in the response from the Rekor search API, so it may take a few attempts to trigger this. ### Impact Minimal. While gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.
Metadata
Created: 2024-11-05T15:26:57Z
Modified: 2024-11-06T19:55:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-8pmp-678w-c8xx/GHSA-8pmp-678w-c8xx.json
CWE IDs: ["CWE-287", "CWE-706"]
Alternative ID: GHSA-8pmp-678w-c8xx
Finding: F013
Auto approve: 1