Vulnerabilities > CVE-2022-35929 - Unspecified vulnerability in Sigstore Cosign

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

sigstore

critical

NVD

Published: 2022-08-04

Updated: 2024-11-21

Summary

cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. This vulnerability can be reproduced with the `distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2` image. This image has a `vuln` attestation but not an `spdx` attestation. However, if you run `cosign verify-attestation --type=spdx` on this image, it incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign. Users are advised to upgrade. There are no known workarounds for this issue.

Vulnerable Configurations

Part	Description	Count
Application	Sigstore Sigstore Cosign - Sigstore Cosign 0.1.0 Sigstore Cosign 0.2.0 Sigstore Cosign 0.3.0 Sigstore Cosign 0.3.1 Sigstore Cosign 0.4.0 Sigstore Cosign 0.5.0 Sigstore Cosign 0.6.0 Sigstore Cosign 1.0.0 Sigstore Cosign 1.0.1 Sigstore Cosign 1.1.0 Sigstore Cosign 1.2.0 Sigstore Cosign 1.2.1 Sigstore Cosign 1.3.0 Sigstore Cosign 1.3.1 Sigstore Cosign 1.4.0 Sigstore Cosign 1.4.1 Sigstore Cosign 1.5.0 Sigstore Cosign 1.5.1 Sigstore Cosign 1.5.2 Sigstore Cosign 1.6.0 Sigstore Cosign 1.7.0 Sigstore Cosign 1.7.1 Sigstore Cosign 1.7.2 Sigstore Cosign 1.8.0 Sigstore Cosign 1.9.0 Sigstore Cosign 1.10.0	28

Summary

Vulnerable Configurations

References