{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-51746", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-10-31T14:12:45.790Z", "datePublished": "2024-11-05T18:54:39.494Z", "dateUpdated": "2024-11-05T20:30:02.393Z"}, "containers": {"cna": {"title": "Use of incorrect Rekor entries during verification in gitsign", "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "lang": "en", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 1.8, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx"}], "affected": [{"vendor": "sigstore", "product": "gitsign", "versions": [{"version": "< 0.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-05T18:54:58.135Z"}, "descriptions": [{"lang": "en", "value": "Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder."}], "source": {"advisory": "GHSA-8pmp-678w-c8xx", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "sigstore", "product": "gitsign", "cpes": ["cpe:2.3:a:sigstore:gitsign:*:*:*:*:*:go:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.11.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-05T20:18:07.672798Z", "id": "CVE-2024-51746", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T20:30:02.393Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-51746", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-05T20:18:07.672798Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:sigstore:gitsign:*:*:*:*:*:go:*:*"], "vendor": "sigstore", "product": "gitsign", "versions": [{"status": "affected", "version": "0", "lessThan": "0.11.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-05T20:29:58.283Z"}}], "cna": {"title": "Use of incorrect Rekor entries during verification in gitsign", "source": {"advisory": "GHSA-8pmp-678w-c8xx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "sigstore", "product": "gitsign", "versions": [{"status": "affected", "version": "< 0.11.0"}]}], "references": [{"url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx", "name": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706: Use of Incorrectly-Resolved Name or Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-05T18:54:58.135Z"}}}, "cveMetadata": {"cveId": "CVE-2024-51746", "state": "PUBLISHED", "dateUpdated": "2024-11-05T20:30:02.393Z", "dateReserved": "2024-10-31T14:12:45.790Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-05T18:54:39.494Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder."}, {"lang": "es", "value": "Gitsign es una herramienta de firma de Sigstore sin clave para las confirmaciones de Git con su identidad de GitHub/OIDC. gitsign puede seleccionar la entrada de Rekor incorrecta para usar durante la verificaci\u00f3n en l\u00ednea cuando el registro devuelve varias entradas. gitsign usa la API de b\u00fasqueda de Rekor para obtener las entradas que se aplican a una firma que se est\u00e1 verificando. Los par\u00e1metros utilizados para la b\u00fasqueda son la clave p\u00fablica y el payload. La API de b\u00fasqueda devuelve las entradas que coinciden con una de las condiciones en lugar de ambas. Cuando se usa el cach\u00e9 de credenciales de gitsign, puede haber varias entradas que usen el mismo certificado de firma/par de claves ef\u00edmeras. Como gitsign asume que Rekor cumple con ambas condiciones, no hay una validaci\u00f3n adicional de que el hash de la entrada coincida con el payload que se est\u00e1 verificando, lo que significa que se puede usar la entrada incorrecta para pasar la verificaci\u00f3n con \u00e9xito. El impacto es m\u00ednimo ya que, si bien gitsign no compara el payload con la entrada, s\u00ed garantiza que el certificado coincida. Esto deber\u00eda ser explotado durante la ventana de validez del certificado (10 minutos) por el titular de la clave."}], "id": "CVE-2024-51746", "lastModified": "2024-11-06T18:17:17.287", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 1.8, "baseSeverity": "LOW", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "LOW"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-11-05T19:15:08.300", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "gitsign: Use of incorrect Rekor entries during verification", "id": "2323965", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2323965"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-706", "details": ["Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.", "A flaw was found in the Gitsign sigstore package. When Gitsign's credential cache is used, it may select the wrong Rekor entry to use during online verification when the log returns multiple entries. This may lead to the incorrect entry being used to pass verification successfully."], "name": "CVE-2024-51746", "package_state": [{"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Fix deferred", "package_name": "rhtas/gitsign-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2024-11-05T18:54:39Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-51746\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-51746\nhttps://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx"], "threat_severity": "Low"}