PT-2026-54439 · Maven · Dev.Sigstore:Sigstore-Java

Publicado

2026-06-30

·

Atualizado

2026-06-30

·

CVE-2026-48791

CVSS v3.1

2.0

Baixa

VetorAV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Summary

Regression: Verification of integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missing

Details

  • PR #1008 erroneously removed verification of the integrated (Rekor entry) time) against the Fulcio certificate.
  • PR #1185 re-added this verification with enhancements that adhere to the Sigstore verification spec.
  • old sigstore-conformance test for this check was built incorrectly

PoC

A new bundle was added to sigstore-conformance to test this: sigstore-java:2.0.0 can be tested against it and shown to be unexpectedly passing Verify this [bundle](https://github.com/aaronlew02/sigstore-conformance/blob/8b45823fd0d82236ff42aea5b06c98d5109a0e6d/test/assets/bundle-verify/integrated-time-in-future fail/bundle.sigstore.json) against a.txt
$ git clone git@github.com:sigstore/sigstore-java
$ git checkout v2.0.0
$ ./gradlew :sigstore-cli:build
$ tar -xf sigstore-cli/build/distributions/sigstore-cli-*-SNAPSHOT.tar --strip-components 1
$ ./bin/sigstore-cli verify --bundle=bundle.sigstore.json a.txt
# expect error but none

Impact

This vulnerability impacts only users verifying bundles with dev.sigstore:sigstore-java:2.0.0. Older versions are not affected, it is fixed in dev.sigstore:sigstore-java:2.1.0
A malicious actor may exploit this if they were able to access a users system and exfiltrate the temporary private key used during signing and then reuse an old fulcio certificate later without requiring direct access to the user's credentials.
Users may protect themselves by re-verifying their artifacts using the newest sigstore-java or another current sigstore client. Transparency logs may also be audited for unauthorized signatures for a suspected reused identity.

Correção

Improper Verification of Cryptographic Signature

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-48791
GHSA-QQW8-7C2R-JXCH

Produtos afetados

Dev.Sigstore:Sigstore-Java