CVE & CISA-KEV Catalog

CVE-2024-55655

UNSCORED

Description

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as the "v1" bundle format always requires an inclusion promise. Sigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry's time. However, this would still be rejected at validation time, as the new entry's (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable.

How to fix

No published remediation has been found for this vulnerability's affected products yet.

Mitigation guidance may be in the linked vendor advisories in the References section below.

CVSS v3.1 Vector

No CVSS vector data available.

Exploit Intelligence

0.24%probability of exploitation in 30 days
14thpercentile

Low risk: more likely to be exploited than 14% of all known CVEs.

References

Embed a live status badge for CVE-2024-55655
CVE-2024-55655 severity badge

Markdown

[![CVE-2024-55655](https://tridentstack.com/cve/badge/CVE-2024-55655.svg)](https://tridentstack.com/cve/CVE-2024-55655)

HTML

<a href="https://tridentstack.com/cve/CVE-2024-55655"><img src="https://tridentstack.com/cve/badge/CVE-2024-55655.svg" alt="CVE-2024-55655"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-12-10.