PT-2026-37206 — Improper Verification of Cryptographic Signature em Go Github.Com/Supply-Chain-Tools/Gitverify

PT-2026-37206 · Go · Github.Com/Supply-Chain-Tools/Gitverify

Publicado

2026-04-24

Atualizado

2026-04-24

CVSS v4.0

5.3

Média

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

gitverify is still a prototype.

Impact

The bug is related to requireSignedTags which is on by default: an unsigned annotated tag would pass the verification. The commit pointed to by the tag would still have to be signed by a maintainer or a contributor.

Patches

Since the initial commit, fixed in c2c60da05d5c73621d0ce7ea02770bacd79ec8b1 (no semantic versions yet).

Workarounds

Correção

Improper Verification of Cryptographic Signature

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-347

Identificadores relacionados

GHSA-H829-5CG7-6HFF

Produtos afetados

Github.Com/Supply-Chain-Tools/Gitverify