Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Ability to bypass attestation verification in sigstore PolicyController
Vulnerability Description
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
sigstore Policy Controller 数据伪造问题漏洞
Vulnerability Description
sigstore Policy Controller是sigstore公司的一个工具。 Policy Controller 0.2.1之前版本存在数据伪造问题漏洞,该漏洞源于Policy Controller 存在报告误报,导致在不应该被录取的情况下被录取。
CVSS Information
N/A
Vulnerability Type
N/A