Executive Summary

Informations
Name CVE-2023-47122 First vendor Publication 2023-11-10
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Overall CVSS Score 5.3
Base Score 5.3 Environmental Score 5.3
impact SubScore 3.6 Temporal Score 5.3
Exploitabality Sub Score 1.6
 
Attack Vector Network Attack Complexity High
Privileges Required None User Interaction Required
Scope Unchanged Confidentiality Impact None
Integrity Impact High Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47122

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f...
https://github.com/sigstore/gitsign/pull/399
https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2024-11-25 09:31:48
  • Multiple Updates
2023-11-23 02:34:49
  • Multiple Updates
2023-11-23 02:34:04
  • Multiple Updates
2023-11-22 17:27:35
  • Multiple Updates
2023-11-16 21:27:26
  • Multiple Updates
2023-11-13 09:27:31
  • Multiple Updates
2023-11-11 05:27:30
  • First insertion