Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cosign's verify-blob-attestation reports false positive when payload parsing fails
Vulnerability Description
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Vulnerability Type
对因果或异常条件的不恰当检查
Vulnerability Title
cosign 代码问题漏洞
Vulnerability Description
cosign是美国Sigstore开源的一个 OCI 注册表中的容器签名、验证和存储。 Cosign 3.0.6之前版本和2.6.3之前版本存在代码问题漏洞,该漏洞源于对格式错误的负载或谓词类型不匹配的验证逻辑缺陷,可能导致错误报告验证成功。
CVSS Information
N/A
Vulnerability Type
N/A