CVE-2024-51746: gitsign may use incorrect Rekor entries during verification

November 5, 2024 (updated November 6, 2024)

gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log.

References

github.com/advisories/GHSA-8pmp-678w-c8xx
github.com/sigstore/gitsign
github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx
nvd.nist.gov/vuln/detail/CVE-2024-51746

Detect and mitigate CVE-2024-51746 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →