Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-11-10T21:33:55.421Z
Updated: 2024-09-03T15:24:07.931Z
Reserved: 2023-10-30T19:57:51.675Z
Link: CVE-2023-47122
Vulnrichment
Updated: 2024-08-02T21:01:22.666Z
NVD
Status : Modified
Published: 2023-11-10T22:15:14.250
Modified: 2024-11-21T08:29:49.413
Link: CVE-2023-47122
Redhat
No data.