{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T18:12:16.259","vulnerabilities":[{"cve":{"id":"CVE-2026-22703","sourceIdentifier":"security-advisories@github.com","published":"2026-01-10T07:16:03.030","lastModified":"2026-02-05T20:59:07.633","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4."},{"lang":"es","value":"Cosign proporciona firma de código y transparencia para contenedores y binarios. Antes de las versiones 2.6.2 y 3.0.4, un paquete de Cosign podía ser manipulado para verificar con éxito un artefacto incluso si la entrada de Rekor incrustada no hacía referencia al *digest* del artefacto, a la firma o a la clave pública. Al verificar una entrada de Rekor, Cosign verifica la firma de la entrada de Rekor y también compara el *digest* del artefacto, la clave pública del usuario (ya sea de un certificado de Fulcio o proporcionada por el usuario) y la firma del artefacto con el contenido de la entrada de Rekor. Sin estas comparaciones, Cosign aceptaría cualquier respuesta de Rekor como válida. Un actor malicioso que haya comprometido la identidad o la clave de firma de un usuario podría construir un paquete de Cosign válido incluyendo cualquier entrada de Rekor arbitraria, impidiendo así al usuario auditar el evento de firma. Este problema ha sido parcheado en las versiones 2.6.2 y 3.0.4."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-345"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.2","matchCriteriaId":"7ABA7B55-66EA-4E85-9F5E-1C392C4FCB6C"},{"vulnerable":true,"criteria":"cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.4","matchCriteriaId":"35768783-8EF1-41DB-8DD1-6870B46B647C"}]}]}],"references":[{"url":"https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/sigstore/cosign/pull/4623","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}