CVE-2024-51746

Name of the Vulnerable Software and Affected Versions gitsign (affected versions not specified)

Description The issue arises when gitsign uses Rekor's search API to fetch entries for signature verification, using parameters such as the public key and the payload. However, the search API returns entries that match either condition rather than both. This can lead to gitsign selecting the wrong Rekor entry during online verification when multiple entries are returned by the log. The impact is minimal because, although gitsign does not match the payload against the entry, it ensures that the certificate matches. Exploitation would need to occur within the certificate validity window, which is 10 minutes, and would require action by the key holder.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.