cve-2024-55655
Vulnerability from cvelistv5
Published
2024-12-10 23:06
Modified
2024-12-11 16:03
Severity ?
EPSS score ?
Summary
sigstore-python has insufficient validation of integration timestamp during verification
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | sigstore | sigstore-python |
Version: >= 2.0.0, < 3.6.0 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-11T16:03:32.260056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T16:03:42.578Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sigstore-python",
"vendor": "sigstore",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 3.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the \"integration time\" present in \"v2\" and \"v3\" bundles during the verification flow: the \"integration time\" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect \"v1\" bundles, as the \"v1\" bundle format always requires an inclusion promise.\n\nSigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry\u0027s time. However, this would still be rejected at validation time, as the new entry\u0027s (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-325",
"description": "CWE-325: Missing Cryptographic Step",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T23:06:42.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7"
},
{
"name": "https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf"
},
{
"name": "https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0"
}
],
"source": {
"advisory": "GHSA-hhfg-fwrw-87w7",
"discovery": "UNKNOWN"
},
"title": "sigstore-python has insufficient validation of integration timestamp during verification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55655",
"datePublished": "2024-12-10T23:06:42.193Z",
"dateReserved": "2024-12-10T14:48:24.296Z",
"dateUpdated": "2024-12-11T16:03:42.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-55655\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-12-10T23:15:06.570\",\"lastModified\":\"2024-12-10T23:15:06.570\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the \\\"integration time\\\" present in \\\"v2\\\" and \\\"v3\\\" bundles during the verification flow: the \\\"integration time\\\" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect \\\"v1\\\" bundles, as the \\\"v1\\\" bundle format always requires an inclusion promise.\\n\\nSigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry\u0027s time. However, this would still be rejected at validation time, as the new entry\u0027s (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":2.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"NONE\",\"vulnerableSystemIntegrity\":\"LOW\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"NONE\",\"subsequentSystemIntegrity\":\"NONE\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"},{\"lang\":\"en\",\"value\":\"CWE-325\"}]}],\"references\":[{\"url\":\"https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.