admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 17:21:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-532xx/CVE-2024-53267.json
cad-safe-bot e6cbafdc40 Auto-Update: 2024-12-08T03:00:18.988682+00:00
2024-12-08 03:06:42 +00:00

68 lines
4.5 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-53267",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-11-26T19:15:30.473",
"lastModified": "2024-11-26T19:15:30.473",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but \"mismatched\" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby \"verifying\" a bundle without any proof the signing event was logged. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor's log monitors. The signer's identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass. sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality. This issue has been patched in v1.1.0 release with PR #856. All users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "sigstore-java es un cliente java de sigstore para interactuar con la infraestructura de sigstore. sigstore-java no tiene suficiente verificaci\u00f3n para una situaci\u00f3n en la que un paquete firmado v\u00e1lidamente pero \"no coincidente\" se presenta como prueba de inclusi\u00f3n en un registro de transparencia. Este error afecta a los clientes que usan cualquier variaci\u00f3n de KeylessVerifier.verify(). El verificador puede aceptar un paquete con una entrada de registro no relacionada, verificando criptogr\u00e1ficamente todo, pero no puede garantizar que la entrada de registro se aplique al artefacto en cuesti\u00f3n, por lo que \"verifica\" un paquete sin ninguna prueba de que se haya registrado el evento de firma. Esto permite la creaci\u00f3n de un paquete sin certificado fulcio y clave privada combinados con una entrada de registro no relacionada pero correcta en el tiempo para simular el registro de un evento de firma. Un actor malintencionado que use una identidad comprometida puede querer hacer esto para evitar el descubrimiento a trav\u00e9s de los monitores de registro de rekor. La identidad del firmante seguir\u00e1 estando disponible para el verificador. La firma en el paquete debe seguir estando en el artefacto correcto para que el verificador la apruebe. Sigstore-gradle-plugin y sigstore-maven-plugin no se ven afectados por esto, ya que solo brindan funcionalidad de firma. Este problema se ha corregido en la versi\u00f3n v1.1.0 con PR #856. Se recomienda a todos los usuarios que actualicen. No existen workarounds conocidas para esta vulnerabilidad."
}
],
"metrics": {
"cvssMetricV31": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"attackVector": "LOCAL",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"description": [
{
"lang": "en",
"value": "CWE-347"
}
]
}
],
"references": [
{
"url": "https://github.com/sigstore/sigstore-conformance/pull/166",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/sigstore/sigstore-java/pull/856",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink