You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked.
Details
The public verify options include certificateOIDs and the documentation says those OID/value pairs “must be present in the certificate’s extension list.” The policy-construction path used by sigstore.verify() and createVerifier() only copies the SAN and issuer settings into the verification policy and completely ignores certificateOIDs.
As a result, callers can believe they are constraining verification to certificates carrying specific Fulcio or workload-identifying OIDs, while the actual verifier never receives those constraints. Any bundle that satisfies the remaining checks is accepted even if the required OID extensions are absent or mismatched.
This is reachable from supported usage through the documented certificateOIDs verify option.
Applications that rely on certificateOIDs to restrict which certificates may sign artifacts receive no such protection. Unauthorized certificates that should be rejected on extension policy can be accepted as long as they satisfy the remaining verification checks.
Affected component
The vulnerability is in pkg:npm/sigstore@4.1.0, found in artifacts pkg:oci/devguard-documentation?repository_url=ghcr.io/l3montree-dev/devguard-documentation&arch=amd64&tag=main-amd64, pkg:oci/l3montree-cybersecurity/devguard/devguard-documentation.
Recommended fix
Upgrade to version 4.1.1 or later.
# Update all vulnerable npm packages
npm audit fix
# Update only this package
npm install sigstore@4.1.1
Additional guidance for mitigating vulnerabilities
The vulnerability is in a direct dependency of your project.
EPSS
0.00 %
The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days.
EXPLOIT
Not available
We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability.
CVSS-BE
7.5
- Exploiting this vulnerability significantly impacts integrity.
CVSS-B
7.5
- The vulnerability can be exploited over the network without needing physical access. - It is easy for an attacker to exploit this vulnerability. - An attacker does not need any special privileges or access rights. - No user interaction is needed for the attacker to exploit this vulnerability. - The impact is confined to the system where the vulnerability exists. - There is a high impact on the integrity of the data.
GHSA-52v5-jr5w-gjxr found in npm/sigstore@4.1.0
Important
Risk:
3.45 (Low)CVSS:
7.5Description
Summary
The documented
certificateOIDsoption insigstore.verify()is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked.Details
The public verify options include
certificateOIDsand the documentation says those OID/value pairs “must be present in the certificate’s extension list.” The policy-construction path used bysigstore.verify()andcreateVerifier()only copies the SAN and issuer settings into the verification policy and completely ignorescertificateOIDs.As a result, callers can believe they are constraining verification to certificates carrying specific Fulcio or workload-identifying OIDs, while the actual verifier never receives those constraints. Any bundle that satisfies the remaining checks is accepted even if the required OID extensions are absent or mismatched.
This is reachable from supported usage through the documented
certificateOIDsverify option.PoC
Impact
Applications that rely on
certificateOIDsto restrict which certificates may sign artifacts receive no such protection. Unauthorized certificates that should be rejected on extension policy can be accepted as long as they satisfy the remaining verification checks.Affected component
The vulnerability is in
pkg:npm/sigstore@4.1.0, found in artifactspkg:oci/devguard-documentation?repository_url=ghcr.io/l3montree-dev/devguard-documentation&arch=amd64&tag=main-amd64,pkg:oci/l3montree-cybersecurity/devguard/devguard-documentation.Recommended fix
Upgrade to version 4.1.1 or later.
Additional guidance for mitigating vulnerabilities
Visit our guides on devguard.org
See more details...
Path to component
%%{init: { 'theme':'base', 'themeVariables': { 'primaryColor': '#F3F3F3', 'primaryTextColor': '#0D1117', 'primaryBorderColor': '#999999', 'lineColor': '#999999', 'secondaryColor': '#ffffff', 'tertiaryColor': '#ffffff' } }}%% flowchart TD Your_application(["Your application"]) --- pkg_npm_sigstore_4_1_0(["pkg:npm/sigstore\@4.1.0"]) classDef default stroke-width:2px10.00 %Not available7.57.5- It is easy for an attacker to exploit this vulnerability.
- An attacker does not need any special privileges or access rights.
- No user interaction is needed for the attacker to exploit this vulnerability.
- The impact is confined to the system where the vulnerability exists.
- There is a high impact on the integrity of the data.
More details can be found in DevGuard
Interact with this vulnerability
You can use the following slash commands to interact with this vulnerability:
👍 Reply with this to acknowledge and accept the identified risk.
🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability.