SCA: security update for github.com/sigstore/timestamp-authority/v2 (GHSA-xm5m-wgh2-rrg3)

medium Tenable Cloud Security Plugin ID 440337

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below
contain an authorization bypass vulnerability in the VerifyTimestampResponse function.
VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific
constraint checks in VerifyLeafCert uses the first non-CA certificate from the PKCS#7 certificate bag
instead of the leaf certificate from the verified chain. An attacker can exploit this by prepending a
forged certificate to the certificate bag while the message is signed with an authorized key, causing the
library to validate the signature against one certificate but perform authorization checks against
another. This vulnerability only affects users of the timestamp-authority/v2/pkg/verification package and
does not affect the timestamp-authority service itself or sigstore-go. The issue has been fixed in version
2.0.6. (CVE-2026-39984)

Solution

Update the github.com/sigstore/timestamp-authority/v2 library and its related packages to version 2.0.6 or later.

See Also

https://github.com/advisories/GHSA-xm5m-wgh2-rrg3

Plugin Details

Severity: Medium

ID: 440337

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 4/14/2026

Updated: 6/3/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-39984

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2026

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-39984

cwe: CWE-295