CNNVD-202601-1728 Information
CNNVD ID
CNNVD-202601-1728
Related CVE
- CNNVD Published: 2026-01-10
Description (Chinese)
cosign是美国的一个 OCI 注册表中的容器签名、验证和存储。 Cosign 2.6.2之前版本和3.0.4之前版本存在数据伪造问题漏洞,该漏洞源于即使嵌入的Rekor条目未引用工件的摘要、签名或公钥,特制的Cosign包也能验证成功,可能影响签名事件的可审计性。
Description (English)
Cosign is the signature, authentication and storage of a container in an OCI registration form in the United States. There is a gap in data forgery before Cosign 2.6.2 and before 3.0.4 because even if the embedded Rekor entry does not refer to a summary, signature or public key, a specially designed Cosign package can verify success and may affect the auditability of the signature event.
Hazard Level
High
Vulnerability Type
数据伪造问题
Affected Vendor
个人开发者
Published
2026-01-10
Last Modified
2026-02-24
References
https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176 https://github.com/sigstore/cosign/pull/4623 https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m
Patch
https://github.com/sigstore/cosign/releases
Share on: