CVE-2024-45395

Name of the Vulnerable Software and Affected Versions: sigstore-go versions prior to 0.6.1

Description: The issue is related to a denial of service attack that can occur when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data. This data can be in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive and can be used to consume excessive CPU resources, leading to a denial of service attack. This type of vulnerability is labeled as an "Endless data attack" by TUF's security model and can lead to verification failing to complete and disrupting services that rely on sigstore-go for verification.

Recommendations: For versions prior to 0.6.1, upgrade to sigstore-go 0.6.1 or later to address the vulnerability. As a temporary workaround for users who are vulnerable but unable to quickly upgrade, consider adding manual bundle validation to enforce limits similar to those in the referenced patch prior to calling sigstore-go's verification functions.