CVE-2024-53267

CVSS 3.1 Score 5.5 of 10 (medium)

Details

Published Nov 26, 2024
CWE ID 347

Summary

CVE-2024-53267 affects the sigstore-java client, which is used for interacting with sigstore infrastructure. This vulnerability arises due to insufficient verification when dealing with a situation where a validly-signed bundle is presented with a "mismatched" log entry. The verifier may accept such a bundle, cryptographically verifying its contents, but fail to ensure that the log entry is associated with the correct artifact. As a result, a malicious actor can create a bundle with an unrelated log entry and fake the logging of a signing event, potentially evading discovery via rekor's log monitors. The signer's identity will still be available to the verifier, and the signature on the bundle must remain attached to the correct artifact for verification to pass. The sigstore-gradle-plugin and sigstore-maven-plugin are not impacted because they only provide signing functionality. This issue has been patched in the v1.1.0 release with PR #856. It is strongly recommended that all users upgrade as soon as possible, and there are currently no known workarounds for this vulnerability.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share