SCA: security update for github.com/sigstore/sigstore (GHSA-fcv2-xgw5-pqxf)

medium Tenable Self-Hosted Container Security Plugin ID 436910

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3
and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs
a filesystem path by joining a cache base directory with a target name sourced from signed target
metadata; however, it does not validate that the resulting path stays within the cache base directory. A
malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the
calling process has. Note that this should only affect clients that are directly using the TUF client in
sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are
unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed
in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting
SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-
go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release. (CVE-2026-24137)

See Also

https://github.com/advisories/GHSA-fcv2-xgw5-pqxf

Plugin Details

Severity: Medium

ID: 436910

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.12

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2026-24137

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/22/2026

Vulnerability Publication Date: 1/22/2026

Reference Information

CVE: CVE-2026-24137

cwe: CWE-22