CNNVD-202601-1808 Information

CNNVD ID

CNNVD-202601-1808

Related CVE

CVE-2026-22772

• CNNVD Published: 2026-01-12

Description (Chinese)

Fulcio是sigstore开源的一个证书颁发机构。 Fulcio 1.8.5之前版本存在代码问题漏洞，该漏洞源于MetaIssuer URL验证使用未锚定的正则表达式，可能导致绕过验证并触发针对任意内部服务的盲SSRF攻击。

Description (English)

Fulcio is a certificate issuing authority for sigstore. The pre-Fulcio 1.8.5 version has a code problem loophole, which stems from the fact that MetaIssuer URL validates the use of unattended regular expressions, which can lead to circumvention and trigger blind SSRF attacks on any internal service.

Hazard Level

High

Vulnerability Type

代码问题

Affected Vendor

sigstore

Published

2026-01-12

Last Modified

2026-02-24

References

https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr

Patch

https://github.com/sigstore/fulcio/releases