CVE-2023-47122— Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-47122
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.
Source: NVD (National Vulnerability Database)
Vulnerability Description
Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Gitsign 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Gitsign是Gitsign个人开发者的一个能够免密钥完成对Git提交进行签名的工具。 Gitsign 0.6.0版本至0.8.0之前版本存在安全漏洞,该漏洞源于Rekor公钥是通过Rekor API获取的,而不是通过本地TUF客户端获取,可能会被欺骗而信任不正确的签名。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2023-47122
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-47122
请登录查看更多情报信息。
- https://github.com/sigstore/gitsign/pull/399x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-47122
IV. Related Vulnerabilities
Same vendor: sigstore
- CVE-2026-39984
Sigstore Timestamp Authority has Improper Certificate Valida - CVE-2026-39395
Cosign's verify-blob-attestation reports false positive when - CVE-2026-31830
sigstore-ruby verifier returns success for DSSE bundles with - CVE-2026-24122
Cosign Certificate Chain Expiry Validation Issue Allows Issu - CVE-2026-24408
sigstore has CSRF possibility in OIDC authentication during
Same weakness: CWE-347
- CVE-2026-42193
Plunk: SNS webhook forgery - CVE-2026-44497
ZEBRA: Consensus Divergence in Transparent Sighash Hash-Type - CVE-2026-41669
Admidio: SAML Signature Validation Result Ignored — Forged A - CVE-2026-7689
Dolibarr ERP CRM Online Signature security.lib.php dol_verif - CVE-2026-33467
Improper Verification of Cryptographic Signature in Elastic
V. Comments for CVE-2023-47122
No comments yet