Home > Vulnerability Database > CVE-2023-47122

Mend.io Vulnerability Database

CVE-2023-47122

Good to know:

Date: November 10, 2023

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Language: Go

Severity Score

4.2

Related Resources (7)

Url: https://github.com/sigstore/gitsign/pull/399

Url: https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-47122

Url: https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236

Url: https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model

Url: https://github.com/sigstore/gitsign

Url: https://www.mend.io/vulnerability-database/CVE-2023-47122

Severity Score

4.2

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

Top Fix

Upgrade Version

Upgrade to version v0.8.0

Learn More

CVSS v3.1

Base Score:	4.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-47122

Good to know:

Date: November 10, 2023

Language: Go

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?