PT-2026-54439 · Maven · Dev.Sigstore:Sigstore-Java
Publicado
2026-06-30
·
Atualizado
2026-06-30
·
CVE-2026-48791
CVSS v3.1
2.0
Baixa
| Vetor | AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N |
Summary
Regression: Verification of
integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missingDetails
- PR #1008 erroneously removed verification of the integrated (Rekor entry) time) against the Fulcio certificate.
- PR #1185 re-added this verification with enhancements that adhere to the Sigstore verification spec.
- old sigstore-conformance test for this check was built incorrectly
PoC
A new bundle was added to sigstore-conformance to test this: sigstore-java:2.0.0 can be tested against it and shown to be unexpectedly passing
Verify this [bundle](https://github.com/aaronlew02/sigstore-conformance/blob/8b45823fd0d82236ff42aea5b06c98d5109a0e6d/test/assets/bundle-verify/integrated-time-in-future fail/bundle.sigstore.json) against
a.txt$ git clone git@github.com:sigstore/sigstore-java
$ git checkout v2.0.0
$ ./gradlew :sigstore-cli:build
$ tar -xf sigstore-cli/build/distributions/sigstore-cli-*-SNAPSHOT.tar --strip-components 1
$ ./bin/sigstore-cli verify --bundle=bundle.sigstore.json a.txt
# expect error but noneImpact
This vulnerability impacts only users verifying bundles with
dev.sigstore:sigstore-java:2.0.0. Older versions are not affected, it is fixed in dev.sigstore:sigstore-java:2.1.0A malicious actor may exploit this if they were able to access a users system and exfiltrate the temporary private key used during signing and then reuse an old fulcio certificate later without requiring direct access to the user's credentials.
Users may protect themselves by re-verifying their artifacts using the newest sigstore-java or another current sigstore client. Transparency logs may also be audited for unauthorized signatures for a suspected reused identity.
Correção
Improper Verification of Cryptographic Signature
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Dev.Sigstore:Sigstore-Java