admin/nvd-json-data-feeds
1
0
Fork 0
mirror of https://github.com/fkie-cad/nvd-json-data-feeds.git synced 2025-05-28 09:11:28 +00:00
Code Issues Packages Projects Releases Wiki Activity
nvd-json-data-feeds/CVE-2024/CVE-2024-556xx/CVE-2024-55655.json
cad-safe-bot 627729c313 Auto-Update: 2025-03-02T03:00:19.570958+00:00
2025-03-02 03:03:52 +00:00

94 lines
6.2 KiB
JSON
Raw Blame History

{
"id": "CVE-2024-55655",
"sourceIdentifier": "security-advisories@github.com",
"published": "2024-12-10T23:15:06.570",
"lastModified": "2024-12-10T23:15:06.570",
"vulnStatus": "Awaiting Analysis",
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the \"integration time\" present in \"v2\" and \"v3\" bundles during the verification flow: the \"integration time\" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect \"v1\" bundles, as the \"v1\" bundle format always requires an inclusion promise.\n\nSigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry's time. However, this would still be rejected at validation time, as the new entry's (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable."
},
{
"lang": "es",
"value": "sigstore-python es una herramienta Python para generar y verificar firmas de Sigstore. Las versiones de sigstore-python m\u00e1s nuevas que 2.0.0 pero anteriores a 3.6.0 realizan una validaci\u00f3n insuficiente del \"tiempo de integraci\u00f3n\" presente en los paquetes \"v2\" y \"v3\" durante el flujo de verificaci\u00f3n: el \"tiempo de integraci\u00f3n\" se verifica *si* est\u00e1 presente una fuente de tiempo firmado (como una promesa de inclusi\u00f3n), pero se conf\u00eda en otro caso si no est\u00e1 presente ninguna fuente de tiempo firmado. Esto no afecta a los paquetes \"v1\", ya que el formato de paquete \"v1\" siempre requiere una promesa de inclusi\u00f3n. Sigstore utiliza tiempo firmado para respaldar la verificaci\u00f3n de firmas realizadas contra claves de firma de corta duraci\u00f3n. El impacto y la gravedad de esta debilidad son *bajos*, ya que Sigstore contiene varios otros componentes de cumplimiento que evitan que un atacante que modifique la marca de tiempo de integraci\u00f3n dentro de un paquete suplante una firma v\u00e1lida. En particular, un atacante que modifica la marca de tiempo de integraci\u00f3n puede inducir una denegaci\u00f3n de servicio, pero de la misma manera que ya es posible con el acceso a paquetes (por ejemplo, modificando la propia firma de forma que no se verifique). Por otra parte, un atacante podr\u00eda cargar una *nueva* entrada en el servicio de transparencia y sustituir la hora de la nueva entrada. Sin embargo, esta ser\u00eda rechazada en el momento de la validaci\u00f3n, ya que la hora de firma (v\u00e1lida) de la nueva entrada estar\u00eda fuera de la ventana de validez del certificado de firma original y, no obstante, har\u00eda que el atacante fuera auditable."
}
],
"metrics": {
"cvssMetricV40": [
{
"source": "security-advisories@github.com",
"type": "Secondary",
"cvssData": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"baseScore": 2.7,
"baseSeverity": "LOW",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"subAvailabilityImpact": "NONE",
"exploitMaturity": "UNREPORTED",
"confidentialityRequirement": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"availabilityRequirement": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"valueDensity": "NOT_DEFINED",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"providerUrgency": "NOT_DEFINED"
}
}
]
},
"weaknesses": [
{
"source": "security-advisories@github.com",
"type": "Primary",
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-325"
}
]
}
],
"references": [
{
"url": "https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0",
"source": "security-advisories@github.com"
},
{
"url": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7",
"source": "security-advisories@github.com"
}
]
}
Reference in New Issue View Git Blame Copy Permalink