GHSA-8PMP-678W-C8XX

Vulnerability from github – Published: 2024-11-05 15:26 – Updated: 2024-11-06 19:55
VLAI?
Summary
gitsign may use incorrect Rekor entries during verification
Details

Summary

gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log.

Details

gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification.

PoC

Enable the credential cache and create commit signatures using the cached signing certificate. gitsign verify or git log --show-signature will demonstrate the use of the wrong entry index for the corresponding commit. Note that this depends on the order of matching entries in the response from the Rekor search API, so it may take a few attempts to trigger this.

Impact

Minimal. While gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.

Severity ?
1.8 (Low)
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/sigstore/gitsign"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51746"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-706"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-05T15:26:57Z",
    "nvd_published_at": "2024-11-05T19:15:08Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\ngitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log.\n\n### Details\n\ngitsign uses Rekor\u0027s search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match _either_ condition rather than _both_. When gitsign\u0027s credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry\u0027s hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification.\n\n### PoC\n\nEnable the credential cache and create commit signatures using the cached signing certificate. `gitsign verify` or `git log --show-signature` will demonstrate the use of the wrong entry index for the corresponding commit. Note that this depends on the order of matching entries in the response from the Rekor search API, so it may take a few attempts to trigger this.\n\n### Impact\n\nMinimal. While gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.",
  "id": "GHSA-8pmp-678w-c8xx",
  "modified": "2024-11-06T19:55:44Z",
  "published": "2024-11-05T15:26:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51746"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sigstore/gitsign"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "gitsign may use incorrect Rekor entries during verification"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.