CVE-2024-53267

Name of the Vulnerable Software and Affected Versions sigstore-java versions prior to v1.1.0

Description The issue is related to insufficient verification in sigstore-java for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor's log monitors.

Recommendations For versions prior to v1.1.0, update to v1.1.0 or later to resolve the issue. As a temporary workaround, verifiers can recreate the log entry and compare it to the provided log entry, or contact the log and discover if the artifact signing event has indeed been added to the log.