x/vulndb: potential Go vuln in github.com/sigstore/cosign: CVE-2022-36056

[GoVulnBot]

CVE-2022-36056 references github.com/sigstore/cosign, which may be a Go module.

Description:
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-36056
• JSON: https://github.com/CVEProject/cvelist/tree/f790b954ed422a8cc608c42e0de46199e4610cfd/2022/36xxx/CVE-2022-36056.json
• web: GHSA-8gw7-4j42-w388
• fix: sigstore/cosign@80b79ed
• Imported by: https://pkg.go.dev/github.com/sigstore/cosign?tab=importedby

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/sigstore/cosign
    packages:
      - package: cosign
description: |
    Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1.12.0 a number of vulnerabilities have been found in cosign verify-blob, where Cosign would successfully verify an artifact when verification should have failed. First a cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature. Second, when providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked. Third, providing an invalid Rekor bundle without the experimental flag results in a successful verification. And fourth an invalid transparency log entry will result in immediate success for verification. Details and examples of these issues can be seen in the GHSA-8gw7-4j42-w388 advisory linked. Users are advised to upgrade to 1.12.0. There are no known workarounds for these issues.
cves:
  - CVE-2022-36056
references:
  - web: https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388
  - fix: https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25

[tatianab]

Vulnerability in tool

[gopherbot]

Change https://go.dev/cl/438179 mentions this issue: data/excluded: add GO-2022-0998.yaml for CVE-2022-36056

[gopherbot]

Change https://go.dev/cl/540975 mentions this issue: data/reports: add GO-2022-0998.yaml