CVE-2024-55655: sigstore has insufficient validation of integration timestamp during verification
Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the “integration time” present in “v2” and “v3” bundles during the verification flow: the “integration time” is verified if a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present.
This does not affect “v1” bundles, as the “v1” bundle format always requires an inclusion promise.
References
- github.com/advisories/GHSA-hhfg-fwrw-87w7
- github.com/sigstore/sigstore-python
- github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf
- github.com/sigstore/sigstore-python/releases/tag/v3.6.0
- github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7
- nvd.nist.gov/vuln/detail/CVE-2024-55655
Detect and mitigate CVE-2024-55655 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →