2024-11-26
:
sigstore-java has a critical vulnerability where a malicious actor can create a fake signing event for an artifact. This bypasses security checks and allows them to hide their actions.
Platform:
sigstore-java
Version:
v1.0.0 (patched in v1.1.0)
Vulnerability:
Incomplete verification in KeylessVerifier.verify()
Severity:
Critical
Date:
Unknown
What Undercode Says:
The sigstore-java library contained a critical vulnerability (CVE-2023-XXXX) that could be exploited by malicious actors. This vulnerability allowed them to forge signing events for artifacts, bypassing security checks. The vulnerability was patched in version 1.1.0.
Here’s how it worked:
1. The attacker creates two unrelated artifacts.
2. They sign both artifacts using the sigstore-java cli.
3. They manipulate the signature information from one artifact and combine it with the log entry from the other.
4. This creates a fake signing event for the first artifact, even though it wasn’t actually signed.
This vulnerability could be used to hide malicious activity or bypass security controls.
Luckily, there are workarounds and a patch available. Verifiers can implement additional checks to ensure the log entry matches the artifact being verified. Alternatively, they can contact the transparency log to confirm the signing event.
It’s important to update to sigstore-java v1.1.0 or later to mitigate this vulnerability.
This vulnerability highlights the importance of proper code review and security testing. By following these practices, developers can help prevent similar vulnerabilities in the future.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help