data/reports: add GO-2022-0326.yaml

zpavlinovic · zpavlinovic · commit bcaf60069aac · 2023-11-09T18:00:31.000Z
Aliases: CVE-2022-23649, GHSA-ccxc-vr6p-4858 Fixes #326 Change-Id: I3a136ad5ea76cce6aff198acf8317345e841b9ac Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/540897 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Cesar Alberto De oliveira <cesaralbertodeoliveira190@gmail.com> Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/excluded/GO-2022-0326.yaml b/data/excluded/GO-2022-0326.yaml
diff --git a/data/osv/GO-2022-0326.json b/data/osv/GO-2022-0326.json
@@ -0,0 +1,75 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2022-0326",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-23649",
+    "GHSA-ccxc-vr6p-4858"
+  ],
+  "summary": "Improper certificate validation in github.com/sigstore/cosign",
+  "details": "Cosign can be manipulated to claim that an entry for a signature in the OCI registry exists in the Rekor transparency log even if it does not. This requires the attacker to have pull and push permissions for the signature in OCI. This can happen with both standard signing with a keypair and \"keyless signing\" with Fulcio certificate authority.",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/sigstore/cosign",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.5.2"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/sigstore/cosign/pkg/cosign",
+            "symbols": [
+              "VerifyBundle",
+              "VerifyImageAttestations",
+              "VerifyImageSignature",
+              "VerifyImageSignatures",
+              "VerifyLocalImageAttestations",
+              "VerifyLocalImageSignatures"
+            ]
+          },
+          {
+            "path": "github.com/sigstore/cosign/pkg/sget",
+            "symbols": [
+              "SecureGet.Do"
+            ]
+          },
+          {
+            "path": "github.com/sigstore/cosign/cmd/cosign/cli/verify",
+            "symbols": [
+              "PrintVerificationHeader",
+              "VerifyAttestationCommand.Exec",
+              "VerifyCommand.Exec"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sigstore/cosign/releases/tag/v1.5.2"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2022-0326"
+  }
+}
diff --git a/data/reports/GO-2022-0326.yaml b/data/reports/GO-2022-0326.yaml
@@ -0,0 +1,38 @@
+id: GO-2022-0326
+modules:
+    - module: github.com/sigstore/cosign
+      versions:
+        - fixed: 1.5.2
+      vulnerable_at: 1.5.1
+      packages:
+        - package: github.com/sigstore/cosign/pkg/cosign
+          symbols:
+            - VerifyBundle
+          derived_symbols:
+            - VerifyImageAttestations
+            - VerifyImageSignature
+            - VerifyImageSignatures
+            - VerifyLocalImageAttestations
+            - VerifyLocalImageSignatures
+        - package: github.com/sigstore/cosign/pkg/sget
+          symbols:
+            - SecureGet.Do
+        - package: github.com/sigstore/cosign/cmd/cosign/cli/verify
+          symbols:
+            - VerifyAttestationCommand.Exec
+            - VerifyCommand.Exec
+            - PrintVerificationHeader
+summary: Improper certificate validation in github.com/sigstore/cosign
+description: |-
+    Cosign can be manipulated to claim that an entry for a signature in the OCI
+    registry exists in the Rekor transparency log even if it does not. This requires
+    the attacker to have pull and push permissions for the signature in OCI. This
+    can happen with both standard signing with a keypair and "keyless signing" with
+    Fulcio certificate authority.
+cves:
+    - CVE-2022-23649
+ghsas:
+    - GHSA-ccxc-vr6p-4858
+references:
+    - fix: https://github.com/sigstore/cosign/commit/96d410a6580e4e81d24d112a0855c70ca3fb5b49
+    - web: https://github.com/sigstore/cosign/releases/tag/v1.5.2
