SCA: security update for github.com/sigstore/gitsign (GHSA-8pmp-678w-c8xx)

low Tenable Self-Hosted Container Security Plugin ID 412790

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign
may select the wrong Rekor entry to use during online verification when multiple entries are returned by
the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The
parameters used for the search are the public key and the payload. The search API returns entries that
match either condition rather than both. When gitsign's credential cache is used, there can be multiple
entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are
matched by Rekor, there is no additional validation that the entry's hash matches the payload being
verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as
while gitsign does not match the payload against the entry, it does ensure that the certificate matches.
This would need to be exploited during the certificate validity window (10 minutes) by the key holder.
(CVE-2024-51746)

See Also

https://github.com/advisories/GHSA-8pmp-678w-c8xx

Plugin Details

Severity: Low

ID: 412790

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-51746

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 1.8

Threat Score: 0.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/5/2024

Vulnerability Publication Date: 11/5/2024

Reference Information

CVE: CVE-2024-51746