目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1336

100%

CVE-2024-54140— sigstore-java 输入验证错误漏洞

AI 预测 5.3 利用难度: 中等 EPSS 0.21% · P11
获取后续新漏洞提醒登录后订阅

一、 漏洞 CVE-2024-54140 基础信息

漏洞信息

对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗

尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。

Vulnerability Title
sigstore-java has a vulnerability with bundle verification
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. There are other mechanisms right now that mitigate this, such as the signed entry timestamp. Sigstore-java currently requires a valid signed entry timestamp. By correctly verifying the signed entry timestamp we can make certain assertions about the log signing the log entry (like the log was aware of the artifact signing event and signed it). Therefore the impact on clients that are not monitors/witnesses is very low. This vulnerability is fixed in 1.2.0.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
输入验证不恰当
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
sigstore-java 输入验证错误漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
sigstore-java是sigstore开源的一个用于与 sigstore 基础架构交互的 sigstore java 客户端。 sigstore-java 1.2.0之前版本存在输入验证错误漏洞,该漏洞源于在用户提供无效签名的情况下无法进行充分验证。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD

受影响产品

厂商产品影响版本CPE订阅
sigstoresigstore-java < 1.2.0 -

二、漏洞 CVE-2024-54140 的公开POC

#POC 描述源链接神龙链接
AI 生成 POC高级

未找到公开 POC。

登录以生成 AI POC

三、漏洞 CVE-2024-54140 的情报信息

登录查看更多情报信息。

CVE-2024-54140 补丁与修复 (2)

CVE-2024-54140 厂商安全公告 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2024-54140

暂无评论


发表评论