Codysoyland

**Name of the Vulnerable Software and Affected Versions** cosign versions prior to 1.12.0 **Description** A number of issues have been found in cosign verify-blob, where cosign would successfully verify an artifact when verification should have failed. These issues include: - a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature, - when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked, - providing an invalid Rekor bundle without the experimental flag results in a successful verification, - an invalid transparency log entry will result in immediate success for verification. **Recommendations** For versions prior to 1.12.0, update to version 1.12.0 to resolve the issues. As a temporary workaround for the first issue, consider extracting the signature and certificate from the bundle and using them for verification instead of the bundle, by running `cosign verify-blob blob1 --signature $(jq -r '.base64Signature' bundle1) --certificate $(jq -r '.cert' bundle1)`. However, note that this workaround may make a network call to Rekor and could be subject to the fourth issue. For the other issues, there are no workarounds, and users should update to version 1.12.0.