CVE-2022-36056

Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25	Patch Third Party Advisory
https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388	Exploit Mitigation Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*

History

14 Sep 2022, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-14 20:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-36056

Mitre link : CVE-2022-36056

CVE.ORG link : CVE-2022-36056

JSON object : View

Products Affected

sigstore

cosign

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2022-36056", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2022-09-14T20:15:09.860", "references": [{"url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388", "tags": ["Exploit", "Mitigation", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues."}, {"lang": "es", "value": "Cosign es un proyecto bajo la organizaci\u00f3n sigstore que presenta como objetivo hacer que la infraestructura de las firmas sea invisible. En versiones anteriores a 1.12.0, han sido encontradas una serie de vulnerabilidades en cosign verify-blob, donde Cosign verificaba con \u00e9xito un artefacto cuando la verificaci\u00f3n deber\u00eda haber fallado. En primer lugar, puede dise\u00f1arse un paquete de Cosign para que verifique correctamente un blob aunque el rekorBundle insertado no haga referencia a la firma en cuesti\u00f3n. En segundo lugar, cuando son proporcionados indicadores de identidad, el correo electr\u00f3nico y el emisor de un certificado no son comprobados cuando es verificado un paquete Rekor, y la identidad de las acciones de GitHub nunca es comprobada. En tercer lugar, si es proporcionada un paquete Rekor no v\u00e1lido sin el flag experimental, la verificaci\u00f3n es realizada con \u00e9xito. Y en cuarto lugar, una entrada de registro de transparencia no v\u00e1lida resultar\u00e1 en un \u00e9xito inmediato de la verificaci\u00f3n. Los detalles y ejemplos de estos problemas pueden verse en el aviso GHSA-8gw7-4j42-w388 enlazado. Es recomendado a usuarios actualizar a versi\u00f3n 1.12.0. No se presentan mitigaciones conocidas para estos problemas"}], "lastModified": "2022-09-19T18:11:48.953", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4975968-ACFD-4039-AD18-F2C53D2CF1DD", "versionEndExcluding": "1.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}