CNNVD-202601-3454 Information
CNNVD ID
CNNVD-202601-3454
Related CVE
- CNNVD Published: 2026-01-22
Description (Chinese)
Rekor是sigstore开源的一款开源软件,能够为软件项目供应链中生成的元数据提供一个不可变的防篡改分类账。 Rekor 1.4.3及之前版本存在代码问题漏洞,该漏洞源于/api/v1/index/retrieve支持通过用户提供的URL检索公钥,可能导致服务端请求伪造攻击。
Description (English)
Rekor is an open source software that can provide an inflexible anti-false ledger for metadata generated in the software project supply chain. Rekor 1.4.3 and previous versions had a code problem loophole, which originated from/api/v1/index/retriev ’ s support for the retrieval of public keys through the URL provided by the user, which could lead to a request from the service for a false attack.
Hazard Level
High
Vulnerability Type
代码问题
Affected Vendor
sigstore
Published
2026-01-22
Last Modified
2026-02-24
References
https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f https://github.com/sigstore/rekor/releases/tag/v1.5.0 https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j
Patch
https://github.com/sigstore/rekor/releases
Share on: