logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-55655 sigstore

Package

Manager: pip
Name: sigstore
Vulnerable Version: >=2.0.0 <3.6.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS: 0.00057 pctl0.17765

Details

sigstore has insufficient validation of integration timestamp during verification ### Summary Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as the "v1" bundle format always requires an inclusion promise. ### Details Sigstore uses signed time to support verification of signatures made against short-lived signing keys. ### Impact The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry's time. However, this would still be rejected at validation time, as the new entry's (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable.

Metadata

Created: 2024-12-11T18:42:00Z
Modified: 2024-12-11T18:42:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-hhfg-fwrw-87w7/GHSA-hhfg-fwrw-87w7.json
CWE IDs: ["CWE-20", "CWE-325"]
Alternative ID: GHSA-hhfg-fwrw-87w7
Finding: F052
Auto approve: 1