Sigstore

Cosign

8 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
3.7

CVE-2026-24122

Exploit
  • EPSS 0.02%
  • Veröffentlicht 19.02.2026 22:27:08
  • Zuletzt bearbeitet 20.02.2026 19:04:02

Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided ...

5.5

CVE-2026-22703

Exploit
  • EPSS 0.01%
  • Veröffentlicht 10.01.2026 06:11:09
  • Zuletzt bearbeitet 05.02.2026 20:59:07

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, s...

7.5

CVE-2024-29903

Exploit
  • EPSS 0.53%
  • Veröffentlicht 10.04.2024 23:15:07
  • Zuletzt bearbeitet 09.01.2025 15:40:24

Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machine. The roo...

5.9

CVE-2024-29902

  • EPSS 0.21%
  • Veröffentlicht 10.04.2024 23:15:06
  • Zuletzt bearbeitet 09.01.2025 15:56:50

Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on the machin...

5.3

CVE-2023-46737

Exploit
  • EPSS 0.31%
  • Veröffentlicht 07.11.2023 18:15:09
  • Zuletzt bearbeitet 21.11.2024 08:29:11

Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to Cosign and...

5.5

CVE-2022-36056

Exploit
  • EPSS 0.07%
  • Veröffentlicht 14.09.2022 20:15:09
  • Zuletzt bearbeitet 21.11.2024 07:12:16

Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artif...

9.8

CVE-2022-35929

Exploit
  • EPSS 0.21%
  • Veröffentlicht 04.08.2022 19:15:09
  • Zuletzt bearbeitet 21.11.2024 07:11:59

cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when t...

3.3

CVE-2022-23649

  • EPSS 0.05%
  • Veröffentlicht 18.02.2022 22:15:12
  • Zuletzt bearbeitet 21.11.2024 06:49:01

Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the Rekor transparency log even if it doesn't...