PT-2024-36069 · Unknown · Sigstore-Java
Loosebazooka
·
Published
2024-12-05
·
Updated
2024-12-06
·
CVE-2024-54140
CVSS v4.0
2.1
Low
| Vector | AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions:
sigstore-java versions prior to 1.2.0
Description:
The issue is related to insufficient verification for a situation where a bundle provides an invalid signature for a checkpoint. This affects clients using any variation of
KeylessVerifier.verify(). The impact is low for clients that are not monitors or witnesses, as other mechanisms like signed entry timestamps mitigate this issue. A valid signed entry timestamp is still required for verification to pass.Recommendations:
For versions prior to 1.2.0, update to version 1.2.0 to fix the issue. As a temporary workaround, verifiers may choose to verify the checkpoint manually after running
KeylessVerifier.verify() by using the provided Java code to manually verify the checkpoint signature.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sigstore-Java