CNNVD-202601-4203 Information

CNNVD ID

CNNVD-202601-4203

Related CVE

CVE-2026-24137

• CNNVD Published: 2026-01-23

Description (Chinese)

sigstore framework是sigstore开源的一个go语言库。 sigstore framework 1.10.3及之前版本存在路径遍历漏洞，该漏洞源于未验证生成的文件路径是否保持在缓存基目录内，可能导致任意文件覆盖。

Description (English)

Sigstore ramework is a go-language library of sigstore open sources. There is a path-wide loophole in the sigstore version 1.10.3 and previous versions, which results from unverified whether the generated file path is kept in the cache base directory and may result in any file overwhelming.

Hazard Level

High

Vulnerability Type

路径遍历

Affected Vendor

sigstore

Published

2026-01-23

Last Modified

2026-02-24

References

https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e https://github.com/sigstore/sigstore/releases/tag/v1.10.4 https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf

Patch

https://www.sigstore.dev/