Skip to content

GHSA-52v5-jr5w-gjxr found in npm/sigstore@4.1.0 #161

Description

@devguard-bot-dev

GHSA-52v5-jr5w-gjxr found in npm/sigstore@4.1.0

Important

Risk: 3.45 (Low)
CVSS: 7.5

Description

Summary

The documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked.

Details

The public verify options include certificateOIDs and the documentation says those OID/value pairs “must be present in the certificate’s extension list.” The policy-construction path used by sigstore.verify() and createVerifier() only copies the SAN and issuer settings into the verification policy and completely ignores certificateOIDs.

As a result, callers can believe they are constraining verification to certificates carrying specific Fulcio or workload-identifying OIDs, while the actual verifier never receives those constraints. Any bundle that satisfies the remaining checks is accepted even if the required OID extensions are absent or mismatched.

This is reachable from supported usage through the documented certificateOIDs verify option.

PoC

const { createVerificationPolicy } = require("sigstore/dist/config");

const policy = createVerificationPolicy({
  certificateIssuer: "https://issuer.example",
  certificateIdentityEmail: "victim@example.com",
  certificateOIDs: {
    "1.2.3.4": "required-value",
  },
});

console.log("certificateOIDs" in policy, JSON.stringify(policy));
// false {"subjectAlternativeName":"victim@example.com","extensions":{"issuer":"https://issuer.example"}}

Impact

Applications that rely on certificateOIDs to restrict which certificates may sign artifacts receive no such protection. Unauthorized certificates that should be rejected on extension policy can be accepted as long as they satisfy the remaining verification checks.

Affected component

The vulnerability is in pkg:npm/sigstore@4.1.0, found in artifacts pkg:oci/devguard-documentation?repository_url=ghcr.io/l3montree-dev/devguard-documentation&arch=amd64&tag=main-amd64, pkg:oci/l3montree-cybersecurity/devguard/devguard-documentation.

Recommended fix

Upgrade to version 4.1.1 or later.

# Update all vulnerable npm packages
npm audit fix
# Update only this package
npm install sigstore@4.1.1 

Additional guidance for mitigating vulnerabilities

Visit our guides on devguard.org

See more details...

Path to component

 %%{init: { 'theme':'base', 'themeVariables': {
'primaryColor': '#F3F3F3',
'primaryTextColor': '#0D1117',
'primaryBorderColor': '#999999',
'lineColor': '#999999',
'secondaryColor': '#ffffff',
'tertiaryColor': '#ffffff'
} }}%%
 flowchart TD
Your_application(["Your application"]) --- pkg_npm_sigstore_4_1_0(["pkg:npm/sigstore\@4.1.0"])

classDef default stroke-width:2px
Loading
Risk Factor Value Description
Vulnerability Depth 1 The vulnerability is in a direct dependency of your project.
EPSS 0.00 % The exploit probability is very low. The vulnerability is unlikely to be exploited in the next 30 days.
EXPLOIT Not available We did not find any exploit available. Neither in GitHub repositories nor in the Exploit-Database. There are no script kiddies exploiting this vulnerability.
CVSS-BE 7.5 - Exploiting this vulnerability significantly impacts integrity.
CVSS-B 7.5 - The vulnerability can be exploited over the network without needing physical access.
- It is easy for an attacker to exploit this vulnerability.
- An attacker does not need any special privileges or access rights.
- No user interaction is needed for the attacker to exploit this vulnerability.
- The impact is confined to the system where the vulnerability exists.
- There is a high impact on the integrity of the data.

More details can be found in DevGuard


Interact with this vulnerability

You can use the following slash commands to interact with this vulnerability:

👍 Reply with this to acknowledge and accept the identified risk.

/accept I accept the risk of this vulnerability, because ...

⚠️ Mark the risk as false positive: Use one of these commands if you believe the reported vulnerability is not actually a valid issue.

/component-not-present The vulnerable component is not included in the artifact.
/vulnerable-code-not-present The component is present, but the vulnerable code is not included or compiled.
/vulnerable-code-not-in-execute-path The vulnerable code exists, but is never executed at runtime.
/vulnerable-code-cannot-be-controlled-by-adversary Built-in protections prevent exploitation of this vulnerability.
/inline-mitigations-already-exist The vulnerable code cannot be controlled or influenced by an attacker.

🔁 Reopen the risk: Use this command to reopen a previously closed or accepted vulnerability.

/reopen ... 

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions