Alpine: multiple cosign packages: security update to 1.5.2-r0

low Tenable Self-Hosted Container Security Plugin ID 403910

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project.
Prior to version 1.5.2, Cosign can be manipulated to claim that an entry for a signature exists in the
Rekor transparency log even if it doesn't. This requires the attacker to have pull and push permissions
for the signature in OCI. This can happen with both standard signing with a keypair and "keyless signing"
with Fulcio. If an attacker has access to the signature in OCI, they can manipulate cosign into believing
the entry was stored in Rekor even though it wasn't. The vulnerability has been patched in v1.5.2 of
Cosign. The `signature` in the `signedEntryTimestamp` provided by Rekor is now compared to the `signature`
that is being verified. If these don't match, then an error is returned. If a valid bundle is copied to a
different signature, verification should fail. Cosign output now only informs the user that certificates
were verified if a certificate was in fact verified. There is currently no known workaround.
(CVE-2022-23649)

See Also

https://security.alpinelinux.org/vuln/CVE-2022-23649

Plugin Details

Severity: Low

ID: 403910

Version: Revision 1.29

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-23649

CVSS v3

Risk Factor: Low

Base Score: 3.3

Temporal Score: 2.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/18/2022

Reference Information

CVE: CVE-2022-23649