CVE-2023-47122 MEDIUM

CVE-2023-47122: Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.

Vendor Sigstore
Product gitsign
Weakness CWE-347
Published November 10, 2023
Last update September 3, 2024

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Key dates

02Disclosure timeline

November 10, 2023 CVE published
September 3, 2024 Record updated