nvd-json-data-feeds/CVE-2024/CVE-2024-541xx/CVE-2024-54140.json

{
  "id": "CVE-2024-54140",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2024-12-05T22:15:20.400",
  "lastModified": "2024-12-05T22:15:20.400",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. There are other mechanisms right now that mitigate this, such as the signed entry timestamp. Sigstore-java currently requires a valid signed entry timestamp. By correctly verifying the signed entry timestamp we can make certain assertions about the log signing the log entry (like the log was aware of the artifact signing event and signed it). Therefore the impact on clients that are not monitors/witnesses is very low. This vulnerability is fixed in 1.2.0."
    },
    {
      "lang": "es",
      "value": "sigstore-java es un cliente java de sigstore para interactuar con la infraestructura de sigstore. sigstore-java no tiene suficiente verificaci\u00f3n para una situaci\u00f3n en la que un paquete proporciona una firma no v\u00e1lida para un punto de control. Este error afecta a los clientes que usan cualquier variaci\u00f3n de KeylessVerifier.verify(). Actualmente, los puntos de control solo se usan para garantizar que el registro en cuesti\u00f3n proporcion\u00f3 el hash ra\u00edz de una prueba de inclusi\u00f3n. Si no se puede validar eso, un paquete puede proporcionar una prueba de inclusi\u00f3n que en realidad no corresponde al registro en cuesti\u00f3n. Esto puede eventualmente hacer que un monitor/testigo no pueda detectar cu\u00e1ndo los registros comprometidos brindan diferentes vistas de s\u00ed mismos a diferentes clientes. Existen otros mecanismos en este momento que mitigan esto, como la timestamp de entrada firmada. Sigstore-java actualmente requiere una timestamp de entrada firmada v\u00e1lida. Al verificar correctamente la timestamp de entrada firmada, podemos hacer ciertas afirmaciones sobre el registro que firma la entrada del registro (como si el registro estuviera al tanto del evento de firma del artefacto y lo firmara). Por lo tanto, el impacto en los clientes que no son monitores/testigos es muy bajo. Esta vulnerabilidad se corrigi\u00f3 en 1.2.0."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "baseScore": 2.1,
          "baseSeverity": "LOW",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "LOW",
          "vulnAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "subAvailabilityImpact": "NONE",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirement": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "availabilityRequirement": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "valueDensity": "NOT_DEFINED",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "providerUrgency": "NOT_DEFINED"
        }
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/sigstore/sigstore-conformance/pull/139",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/sigstore/sigstore-java/commit/23fb4885e6704a5df4977f7acf253a745349edf9",
      "source": "security-advisories@github.com"
    },
    {
      "url": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-jp26-88mw-89qr",
      "source": "security-advisories@github.com"
    }
  ]
}