What is CVE-2023-47122?

CVE-2023-47122 is a medium-severity vulnerability in Sigstore Gitsign, classified under Improper Verification of Cryptographic Signature. CVSS score: 4.2/10. Published 2023-11-10.

How severe is CVE-2023-47122?

Medium severity. CVSS v3 base score is 4.2 out of 10.

Vulnerability in Sigstore Gitsign

CVE-2023-47122

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor ser…

EPSS: 0.001 (27.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.2 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N.

Affected products

Sigstore Gitsign — versions >= 0.6.0, < 0.8.0

Weakness classification (CWE)

CWE-347 — Improper Verification of Cryptographic Signature

References

https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc (x_refsource_CONFIRM)
https://github.com/sigstore/gitsign/pull/399 (x_refsource_MISC)
https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236 (x_refsource_MISC)
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model (x_refsource_MISC)

Frequently asked questions

What is CVE-2023-47122?: CVE-2023-47122 is a medium-severity vulnerability in Sigstore Gitsign, classified under Improper Verification of Cryptographic Signature. CVSS score: 4.2/10. Published 2023-11-10.
How severe is CVE-2023-47122?: Medium severity. CVSS v3 base score is 4.2 out of 10.