Mattmoor

**Name of the Vulnerable Software and Affected Versions** Go SDK for CloudEvents versions prior to 2.15.2 **Description** The issue is related to the `cloudevents.WithRoundTripper` function in the Go SDK for CloudEvents, which causes the SDK to leak credentials to arbitrary endpoints when used with an authenticated `http.RoundTripper`. This happens because the `http.DefaultClient` is modified with the authenticated transport, resulting in the sending of Authorization tokens to any endpoint it contacts. The estimated number of potentially affected devices worldwide is not available. **Recommendations** For versions prior to 2.15.2, update to version 2.15.2 to patch the issue. As a temporary workaround, consider avoiding the use of `cloudevents.WithRoundTripper` with an authenticated `http.RoundTripper` until the update is applied. Restrict access to the `http.DefaultClient` to minimize the risk of exploitation. Avoid using the `Transport` field in the `http.DefaultClient` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** cosign versions prior to 1.10.1 **Description** The issue concerns a container signing and verification utility. In affected versions, `cosign verify-attestation` used with the `--type` flag can report a false positive verification when there is at least one attestation with a valid signature and there are no attestations of the type being verified. This can occur with standard keypair signing and "keyless" signing with Fulcio. The problem can be reproduced with a specific image that has a `vuln` attestation but not an `spdx` attestation, causing `cosign verify-attestation --type=spdx` to incorrectly succeed. **Recommendations** For versions prior to 1.10.1, upgrade to cosign version 1.10.1 or greater to resolve the issue. As a temporary workaround, consider avoiding the use of `cosign verify-attestation` with the `--type` flag until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** PolicyController versions prior to 0.2.1 **Description** The issue arises when there is at least one attestation with a valid signature and no attestations of the type being verified, with `--type` defaulting to "custom". This results in a false positive, leading to an admission when it should not be admitted. An example image to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. **Recommendations** To resolve this issue, users should upgrade to version 0.2.1 or greater. There are no workarounds for users unable to upgrade.