{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-14T04:10:49.681","vulnerabilities":[{"cve":{"id":"CVE-2024-55655","sourceIdentifier":"security-advisories@github.com","published":"2024-12-10T23:15:06.570","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the \"integration time\" present in \"v2\" and \"v3\" bundles during the verification flow: the \"integration time\" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect \"v1\" bundles, as the \"v1\" bundle format always requires an inclusion promise.\n\nSigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry's time. However, this would still be rejected at validation time, as the new entry's (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable."},{"lang":"es","value":"sigstore-python es una herramienta Python para generar y verificar firmas de Sigstore. Las versiones de sigstore-python más nuevas que 2.0.0 pero anteriores a 3.6.0 realizan una validación insuficiente del \"tiempo de integración\" presente en los paquetes \"v2\" y \"v3\" durante el flujo de verificación: el \"tiempo de integración\" se verifica *si* está presente una fuente de tiempo firmado (como una promesa de inclusión), pero se confía en otro caso si no está presente ninguna fuente de tiempo firmado. Esto no afecta a los paquetes \"v1\", ya que el formato de paquete \"v1\" siempre requiere una promesa de inclusión. Sigstore utiliza tiempo firmado para respaldar la verificación de firmas realizadas contra claves de firma de corta duración. El impacto y la gravedad de esta debilidad son *bajos*, ya que Sigstore contiene varios otros componentes de cumplimiento que evitan que un atacante que modifique la marca de tiempo de integración dentro de un paquete suplante una firma válida. En particular, un atacante que modifica la marca de tiempo de integración puede inducir una denegación de servicio, pero de la misma manera que ya es posible con el acceso a paquetes (por ejemplo, modificando la propia firma de forma que no se verifique). Por otra parte, un atacante podría cargar una *nueva* entrada en el servicio de transparencia y sustituir la hora de la nueva entrada. Sin embargo, esta sería rechazada en el momento de la validación, ya que la hora de firma (válida) de la nueva entrada estaría fuera de la ventana de validez del certificado de firma original y, no obstante, haría que el atacante fuera auditable."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-325"}]}],"references":[{"url":"https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf","source":"security-advisories@github.com"},{"url":"https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0","source":"security-advisories@github.com"},{"url":"https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7","source":"security-advisories@github.com"}]}}]}