PT-2026-24484 · Unknown · Sigstore-Ruby
Hanazuki
·
Published
2026-03-10
·
Updated
2026-03-11
·
CVE-2026-31830
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
sigstore-ruby versions prior to 0.2.3
Description
The software does not correctly handle verification failures when the artifact digest does not match the digest in the in-toto attestation subject. Specifically, the
Sigstore::Verifier#verify function does not propagate the VerificationFailure returned by verify in toto. This results in successful verification even when the artifact does not match the attested subject, impacting the verification of DSSE bundles containing in-toto statements.Recommendations
Update to version 0.2.3 or later.
Exploit
Fix
Unchecked Return Value
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sigstore-Ruby