Can you explain this vulnerability to me?

This vulnerability exists in Cosign versions 3.0.4 and below, which is a tool used for code signing and transparency for containers and binaries. The issue is that an issuing certificate that expires before the leaf certificate can still be considered valid during verification if the provided timestamp suggests the issuing certificate should be expired. Essentially, Cosign verifies the certificate chain based on the leaf certificate's "not before" timestamp and later checks the leaf certificate's expiry using a signed timestamp or current time, but it assumes the root and issuing certificates remain valid during the leaf certificate's validity period. This can lead to acceptance of signatures with expired issuing certificates.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The impact of this vulnerability is limited. It may affect private deployments of Cosign that use customized Public Key Infrastructures (PKIs), potentially allowing acceptance of signatures that should be considered invalid due to expired issuing certificates. However, there is no impact on users of the public Sigstore infrastructure. The vulnerability has a low CVSS score of 3.7, indicating limited severity.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Cosign to version 3.0.5 or later, where the issue has been fixed.

This vulnerability affects private deployments with customized PKIs, so ensure that your environment is updated accordingly.

Useful 0 Not Useful 0