cvedb.io
CVE-2022-36056
MEDIUM · CVSS 5.5
EPSS exploitation probability: 0%
Published 2022-09-14T20:15:09.860 · Last modified 2026-06-17T04:52:49.517

Summary

Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for veri

Affected products

sigstore — cosign

Does this affect you?

Add your gear to cvedb and we'll alert you only when sigstore ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.