Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

sigstore — Vulnerabilities & Security Advisories 27

Browse all 27 CVE security advisories affecting sigstore. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by sigstore:cosignrekorgitsignsigstore-javasigstore-pythonfulciotimestamp-authoritypolicy-controllersigstore-gosigstoresigstore-ruby
CVE IDTitleCVSSSeverityPublished
CVE-2026-39984 Sigstore Timestamp Authority has Improper Certificate Validation in verifier — timestamp-authorityCWE-295 5.5 Medium2026-04-14
CVE-2026-39395 Cosign's verify-blob-attestation reports false positive when payload parsing fails — cosignCWE-754 4.3 Medium2026-04-07
CVE-2026-31830 sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest — sigstore-rubyCWE-252 7.5 High2026-03-10
CVE-2026-24122 Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked — cosignCWE-295 3.7 Low2026-02-19
CVE-2026-24408 sigstore has CSRF possibility in OIDC authentication during signing — sigstore-pythonCWE-352--2026-01-26
CVE-2026-24137 sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal — sigstoreCWE-22 5.8 Medium2026-01-23
CVE-2026-24117 Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL — rekorCWE-918 5.3 Medium2026-01-22
CVE-2026-23831 Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message — rekorCWE-476 5.3 Medium2026-01-22
CVE-2026-22772 Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass — fulcioCWE-918 5.8 Medium2026-01-12
CVE-2026-22703 Cosign verification accepts any valid Rekor entry under certain conditions — cosignCWE-345 5.5 Medium2026-01-10
CVE-2025-66564 Sigstore Timestamp Authority allocates excessive memory during request parsing — timestamp-authorityCWE-405 7.5 High2025-12-04
CVE-2025-66506 Fulcio allocates excessive memory during token parsing — fulcioCWE-405 7.5 High2025-12-04
CVE-2024-55655 sigstore-python has insufficient validation of integration timestamp during verification — sigstore-pythonCWE-20 6.5 -2024-12-10
CVE-2024-54140 sigstore-java has a vulnerability with bundle verification — sigstore-javaCWE-20--2024-12-05
CVE-2024-53267 Vulnerability with bundle verification in sigstore-java — sigstore-javaCWE-347 5.5 Medium2024-11-26
CVE-2024-51746 Use of incorrect Rekor entries during verification in gitsign — gitsignCWE-706 6.5 -2024-11-05
CVE-2024-45395 Unbounded loop over untrusted input can lead to endless data attack — sigstore-goCWE-835 3.1 Low2024-09-04
CVE-2024-29903 Cosign vulnerable to machine-wide denial of service via malicious artifacts — cosignCWE-770 4.2 Medium2024-04-10
CVE-2024-29902 Cosign vulnerable to system-wide denial of service via malicious attachments — cosignCWE-770 4.2 Medium2024-04-10
CVE-2023-47122 Gitsign's Rekor public keys fetched from upstream API instead of local TUF client. — gitsignCWE-347 4.2 Medium2023-11-10
CVE-2023-46737 Possible endless data attack from attacker-controlled registry in cosign — cosignCWE-400 3.1 Low2023-11-07
CVE-2023-33199 malformed proposed intoto v0.0.2 entries can cause a panic in Rekor — rekorCWE-617 5.3 Medium2023-05-26
CVE-2023-30551 Rekor's compressed archives can result in OOM conditions — rekorCWE-770 7.5 High2023-05-08
CVE-2022-36056 Vulnerabilities with blob verification in sigstore cosign — cosignCWE-347 5.5 Medium2022-09-14
CVE-2022-35930 Ability to bypass attestation verification in sigstore PolicyController — policy-controllerCWE-347 7.1 High2022-08-04
CVE-2022-35929 False positive signature verification in cosign — cosignCWE-347 7.1 High2022-08-04
CVE-2022-23649 Improper Certificate Validation in Cosign — cosignCWE-295 3.3 Low2022-02-18

This page lists every published CVE security advisory associated with sigstore. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.