2024-11-28
Platform: sigstore-java
Version: v1.0.0
Vulnerability: Improper verification of log entry in bundle verification (CVE-2024-53267)
Severity: Critical
Date: November 26, 2024
What Undercode Says:
This critical vulnerability in sigstore-java allows attackers to forge bundle verification proofs without actually logging the signing event. This can be exploited to bypass security measures that rely on transparency logs. Upgrade to sigstore-java v1.1.0 or implement the provided workarounds to mitigate the risk.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help