NVD

Vulnerability Change Records for CVE-2023-47122

Action	Type	New Value
Added	CVSS V3.1	GitHub, Inc. AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
Added	CWE	GitHub, Inc. CWE-347
Added	Description	Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.
Added	Reference	GitHub, Inc. https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model [No types assigned]
Added	Reference	GitHub, Inc. https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236 [No types assigned]
Added	Reference	GitHub, Inc. https://github.com/sigstore/gitsign/pull/399 [No types assigned]
Added	Reference	GitHub, Inc. https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc [No types assigned]