Sigstore Ruby Library In-Toto Verification Bypass Vulnerability
Vulnerability
A vulnerability exists in the Sigstore Ruby library, specifically in versions prior to 0.2.2, within the Sigstore::Verifier#verify method. The issue arises because the method fails to properly handle verification failures from the verify_in_toto function when there is a digest mismatch between the artifact and the in-toto attestation. This flaw allows DSSE bundles with in-toto statements to be incorrectly verified as successful, even when the artifact does not match the attested subject. The vulnerability enables an attacker to misuse a valid signed DSSE bundle as an attestation for a different artifact, bypassing the intended artifact-to-attestation binding.
Impact
Exploitation of this vulnerability allows for the incorrect verification of DSSE bundles, enabling an attacker to present an attestation for one artifact as valid for another, thereby bypassing verification checks that ensure the integrity and authenticity of the artifact in relation to the attestation.
Remediation
Users should update to version 0.2.3 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.