PT-2026-24484 · Unknown · Sigstore-Ruby

Hanazuki

Publicado

2026-03-10

Atualizado

2026-03-11

CVE-2026-31830

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions sigstore-ruby versions prior to 0.2.3

Description The software does not correctly handle verification failures when the artifact digest does not match the digest in the in-toto attestation subject. Specifically, the Sigstore::Verifier#verify function does not propagate the VerificationFailure returned by verify in toto. This results in successful verification even when the artifact does not match the attested subject, impacting the verification of DSSE bundles containing in-toto statements.

Recommendations Update to version 0.2.3 or later.

Exploit

Correção

Unchecked Return Value

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-252

Identificadores relacionados

CVE-2026-31830

GHSA-MHG6-2Q2V-9H2C

Produtos afetados

Sigstore-Ruby

PT-2026-24484 · Unknown · Sigstore-Ruby

CVE-2026-31830

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10