Описание
A flaw was found in Cosign, a tool for code signing and transparency for containers and binaries. A remote attacker could exploit this vulnerability by providing malformed payloads or attestations with mismatched predicate types. This could lead to Cosign erroneously reporting a "Verified OK" result, even when the attestations are invalid. This issue compromises the integrity of the verification process, potentially allowing unverified software to be trusted.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Pipelines | openshift-pipelines-client | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/chains-controller-rhel8 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/chains-controller-rhel9 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/cli-tkn-rhel8 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/cli-tkn-rhel9 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/opc-rhel9 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/operator-operator-rhel9 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/pipelines-chains-controller-rhel9 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/pipelines-cli-tkn-rhel9 | Fix deferred | ||
| OpenShift Pipelines | redhat-user-workloads/pipelines-opc-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.
Cosign provides code signing and transparency for containers and binar ...
Cosign's verify-blob-attestation reports false positive when payload parsing fails
EPSS
6.5 Medium
CVSS3