SCA: security update for github.com/sigstore/cosign (GHSA-wfqv-66vq-46rm)

low Tenable Self-Hosted Container Security Plugin ID 437872

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an
issuing certificate with a validity that expires before the leaf certificate will be considered valid
during verification even if the provided timestamp would mean the issuing certificate should be considered
expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate
chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate
using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or
using the current time. The root and all issuing certificates are assumed to be valid during the leaf
certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect
private deployments with customized PKIs. This issue has been fixed in version 3.0.5. (CVE-2026-24122)

See Also

https://github.com/advisories/GHSA-wfqv-66vq-46rm

Plugin Details

Severity: Low

ID: 437872

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 2/20/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.2

Percentile: 51.15

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 2

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-24122

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/19/2026

Vulnerability Publication Date: 2/19/2026

Reference Information

CVE: CVE-2026-24122

cwe: CWE-295