Auto-Update: 2023-11-10T23:00:19.312599+00:00

2025-07-11 16:13:34 +00:00 · 2023-11-10 23:00:22 +00:00 · 2023-11-10 23:00:22 +00:00 · 3139474764
commit 3139474764
parent 88712814a9
2 changed files with 72 additions and 7 deletions
--- a/CVE-2023/CVE-2023-471xx/CVE-2023-47122.json
+++ b/CVE-2023/CVE-2023-471xx/CVE-2023-47122.json
@ -0,0 +1,67 @@
+{
+  "id": "CVE-2023-47122",
+  "sourceIdentifier": "security-advisories@github.com",
+  "published": "2023-11-10T22:15:14.250",
+  "lastModified": "2023-11-10T22:15:14.250",
+  "vulnStatus": "Received",
+  "descriptions": [
+    {
+      "lang": "en",
+      "value": "Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available."
+    }
+  ],
+  "metrics": {
+    "cvssMetricV31": [
+      {
+        "source": "security-advisories@github.com",
+        "type": "Secondary",
+        "cvssData": {
+          "version": "3.1",
+          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N",
+          "attackVector": "NETWORK",
+          "attackComplexity": "HIGH",
+          "privilegesRequired": "HIGH",
+          "userInteraction": "REQUIRED",
+          "scope": "UNCHANGED",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "HIGH",
+          "availabilityImpact": "NONE",
+          "baseScore": 4.2,
+          "baseSeverity": "MEDIUM"
+        },
+        "exploitabilityScore": 0.5,
+        "impactScore": 3.6
+      }
+    ]
+  },
+  "weaknesses": [
+    {
+      "source": "security-advisories@github.com",
+      "type": "Secondary",
+      "description": [
+        {
+          "lang": "en",
+          "value": "CWE-347"
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "url": "https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/sigstore/gitsign/pull/399",
+      "source": "security-advisories@github.com"
+    },
+    {
+      "url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc",
+      "source": "security-advisories@github.com"
+    }
+  ]
+}
--- a/README.md
+++ b/README.md
@ -9,13 +9,13 @@ Repository synchronizes with the NVD every 2 hours.
 ### Last Repository Update

 ```plain
-2023-11-10T21:00:18.809981+00:00
+2023-11-10T23:00:19.312599+00:00
 ```

 ### Most recent CVE Modification Timestamp synchronized with NVD

 ```plain
-2023-11-10T20:15:07.263000+00:00
+2023-11-10T22:15:14.250000+00:00
 ```

 ### Last Data Feed Release
@ -29,16 +29,14 @@ Download and Changelog: [Click](https://github.com/fkie-cad/nvd-json-data-feeds/
 ### Total Number of included CVEs

 ```plain
-230343
+230344
 ```

 ### CVEs added in the last Commit

-Recently added CVEs: `3`
+Recently added CVEs: `1`

-* [CVE-2023-47108](CVE-2023/CVE-2023-471xx/CVE-2023-47108.json) (`2023-11-10T19:15:16.410`)
-* [CVE-2023-47129](CVE-2023/CVE-2023-471xx/CVE-2023-47129.json) (`2023-11-10T19:15:16.617`)
-* [CVE-2023-36027](CVE-2023/CVE-2023-360xx/CVE-2023-36027.json) (`2023-11-10T20:15:07.263`)
+* [CVE-2023-47122](CVE-2023/CVE-2023-471xx/CVE-2023-47122.json) (`2023-11-10T22:15:14.250`)


 ### CVEs modified in the last Commit