CNNVD-202601-4319 Information
CNNVD ID
CNNVD-202601-4319
Related CVE
- CNNVD Published: 2026-01-26
Description (Chinese)
sigstore-python是sigstore开源的一个用于生成和验证 Sigstore 签名的 Python 工具。 sigstore-python 4.2.0之前版本存在跨站请求伪造漏洞,该漏洞源于OAuth身份验证流程存在跨站请求伪造,可能导致攻击者绕过身份验证。
Description (English)
Sigstore-python is a Python tool for generating and authenticating Sigstore signatures. The previous version of sigstore-python 4.2.0 had a cross-site request for forgery loophole, which stemmed from the presence of a cross-site identification process in OAuth, which could result in the attackers circumventing the identification.
Hazard Level
Critical
Vulnerability Type
跨站请求伪造
Affected Vendor
sigstore
Published
2026-01-26
Last Modified
2026-02-24
References
https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa https://access.redhat.com/security/cve/cve-2026-24408
Patch
https://github.com/sigstore/sigstore-python/releases
Share on: