Skip to content

Commit 702b386

Browse files
1 parent ff91641 commit 702b386

2 files changed

Lines changed: 120 additions & 0 deletions

File tree

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-52v5-jr5w-gjxr",
4+
"modified": "2026-07-01T19:58:28Z",
5+
"published": "2026-07-01T19:58:28Z",
6+
"aliases": [
7+
"CVE-2026-48815"
8+
],
9+
"summary": "sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced",
10+
"details": "### Summary\n\nThe documented `certificateOIDs` option in `sigstore.verify()` is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked.\n\n### Details\n\nThe public verify options include `certificateOIDs` and the documentation says those OID/value pairs “must be present in the certificate’s extension list.” The policy-construction path used by `sigstore.verify()` and `createVerifier()` only copies the SAN and issuer settings into the verification policy and completely ignores `certificateOIDs`.\n\nAs a result, callers can believe they are constraining verification to certificates carrying specific Fulcio or workload-identifying OIDs, while the actual verifier never receives those constraints. Any bundle that satisfies the remaining checks is accepted even if the required OID extensions are absent or mismatched.\n\nThis is reachable from supported usage through the documented `certificateOIDs` verify option.\n\n### PoC\n\n```javascript\nconst { createVerificationPolicy } = require(\"sigstore/dist/config\");\n\nconst policy = createVerificationPolicy({\n certificateIssuer: \"https://issuer.example\",\n certificateIdentityEmail: \"victim@example.com\",\n certificateOIDs: {\n \"1.2.3.4\": \"required-value\",\n },\n});\n\nconsole.log(\"certificateOIDs\" in policy, JSON.stringify(policy));\n// false {\"subjectAlternativeName\":\"victim@example.com\",\"extensions\":{\"issuer\":\"https://issuer.example\"}}\n```\n\n### Impact\n\nApplications that rely on `certificateOIDs` to restrict which certificates may sign artifacts receive no such protection. Unauthorized certificates that should be rejected on extension policy can be accepted as long as they satisfy the remaining verification checks.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "sigstore"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.1.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.1.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/sigstore/sigstore-js"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-347"
54+
],
55+
"severity": "HIGH",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-07-01T19:58:28Z",
58+
"nvd_published_at": null
59+
}
60+
}
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-xgjw-pm74-86q4",
4+
"modified": "2026-07-01T19:57:45Z",
5+
"published": "2026-07-01T19:57:45Z",
6+
"aliases": [
7+
"CVE-2026-48816"
8+
],
9+
"summary": "sigstore-js has Insufficient Verification of Data Authenticity",
10+
"details": "sigstore-js derives a transparency-log timestamp from `tlogEntries[].integratedTime` and uses it to validate certificate validity windows and satisfy `timestampThreshold`. For bundle v0.2, a tlog entry can be inclusionProof-only (no signed inclusionPromise/set), and the inclusion proof path does not cryptographically bind `integratedTime`. As a result, an attacker who can supply an untrusted bundle can influence time-based verification decisions by choosing `integratedTime`.\n\n## impact\nIf a consumer accepts attacker-provided bundle v0.2 inputs and relies on tlog-derived timestamps for certificate validity checks, verification can be influenced by an unauthenticated timestamp value. This is a trust gap: `integratedTime` is treated as a trusted observer timestamp under inclusionProof-only mode even though only the signed inclusionPromise/set path binds it.\n\n## affected code\n- `packages/verify/src/bundle/index.ts` (adds a transparency-log timestamp whenever `integratedTime != 0`)\n- `packages/verify/src/timestamp/index.ts` (converts `integratedTime` to a `Date`)\n- `packages/verify/src/verifier.ts` (verifies timestamps before verifying tlog inclusion)\n- `packages/verify/src/tlog/index.ts` + `packages/verify/src/tlog/set.ts` (only the inclusionPromise/set path binds `integratedTime`)\n\n## proof of concept\nThe attached `poc.zip` contains a self-contained harness that reproduces the behavior on the pinned commit and includes both a canonical test and a negative control.\n\nrepro:\n1) extract `poc.zip` into a fresh directory and run the make targets:\n\n```bash\nunzip poc.zip -d poc\ncd poc/poc-F-SIG-JS-TLOGTIME-001\nmake canonical\nmake control\n```\n\n2) confirm `canonical.log` includes:\n\n```\n[CALLSITE_HIT]:\n[PROOF_MARKER]:\n```\n\n3) confirm `control.log` includes:\n\n```\n[NC_MARKER]:\n```\n\n## suggested fix\nOnly treat `integratedTime` as a trusted timestamp when it is cryptographically bound (for example, via a verified signed inclusionPromise/set). For inclusionProof-only entries, do not count `integratedTime` toward `timestampThreshold`, and do not use it for certificate validity decisions unless there is another signed time source (for example, an rfc3161 timestamp).\n\n[poc.zip](https://github.com/user-attachments/files/25643656/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25643660/PR_DESCRIPTION.md)\n[SUBMISSION.md](https://github.com/user-attachments/files/25643662/SUBMISSION.md)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@sigstore/verify"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "3.1.0"
29+
},
30+
{
31+
"fixed": "3.1.1"
32+
}
33+
]
34+
}
35+
],
36+
"versions": [
37+
"3.1.0"
38+
]
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/sigstore/sigstore-js"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-345"
54+
],
55+
"severity": "MODERATE",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-07-01T19:57:45Z",
58+
"nvd_published_at": null
59+
}
60+
}

0 commit comments

Comments
 (0)