CVE-2024-55655

Name of the Vulnerable Software and Affected Versions sigstore-python versions 2.0.0 through 3.6.0

Description The issue concerns insufficient validation of the "integration time" in "v2" and "v3" bundles during the verification flow. This affects versions of sigstore-python newer than 2.0.0 but prior to 3.6.0. The "integration time" is verified if a source of signed time, such as an inclusion promise, is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as they always require an inclusion promise. Sigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness are low, as Sigstore contains multiple other enforcing components that prevent an attacker from impersonating a valid signature by modifying the integration timestamp. An attacker who modifies the integration timestamp can induce a Denial of Service, but this is already possible with bundle access. An attacker could upload a new entry to the transparency service and substitute their new entry's time, but this would be rejected at validation time due to the new entry's signed time being outside the validity window of the original signing certificate.

Recommendations For versions 2.0.0 through 3.6.0, update to version 3.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the verification flow to minimize the risk of exploitation. Avoid modifying the integration timestamp within bundles, as this could induce a Denial of Service. Restrict access to the transparency service to prevent attackers from uploading new entries with substituted times.