CVE-2024-54140— sigstore-java has a vulnerability with bundle verification
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-54140
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
sigstore-java has a vulnerability with bundle verification
Source: NVD (National Vulnerability Database)
Vulnerability Description
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. There are other mechanisms right now that mitigate this, such as the signed entry timestamp. Sigstore-java currently requires a valid signed entry timestamp. By correctly verifying the signed entry timestamp we can make certain assertions about the log signing the log entry (like the log was aware of the artifact signing event and signed it). Therefore the impact on clients that are not monitors/witnesses is very low. This vulnerability is fixed in 1.2.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
sigstore-java 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
sigstore-java是sigstore开源的一个用于与 sigstore 基础架构交互的 sigstore java 客户端。 sigstore-java 1.2.0之前版本存在输入验证错误漏洞,该漏洞源于在用户提供无效签名的情况下无法进行充分验证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| sigstore | sigstore-java | < 1.2.0 | - |
II. Public POCs for CVE-2024-54140
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-54140
请登录查看更多情报信息。
- Merge commit from fork · sigstore/sigstore-java@23fb488 · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2024-54140
IV. Related Vulnerabilities
Same vendor: sigstore
- CVE-2026-39984
Sigstore Timestamp Authority has Improper Certificate Valida - CVE-2026-39395
Cosign's verify-blob-attestation reports false positive when - CVE-2026-31830
sigstore-ruby verifier returns success for DSSE bundles with - CVE-2026-24122
Cosign Certificate Chain Expiry Validation Issue Allows Issu - CVE-2026-24408
sigstore has CSRF possibility in OIDC authentication during
Same weakness: CWE-20
V. Comments for CVE-2024-54140
No comments yet