Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1048309?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1048309?format=api", "purl": "pkg:apk/alpine/cosign@1.12.1-r0?arch=s390x&distroversion=v3.19&reponame=community", "type": "apk", "namespace": "alpine", "name": "cosign", "version": "1.12.1-r0", "qualifiers": { "arch": "s390x", "distroversion": "v3.19", "reponame": "community" }, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "2.2.1-r0", "latest_non_vulnerable_version": "2.2.1-r0", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/52361?format=api", "vulnerability_id": "VCID-mn6g-jbm6-8ye9", "summary": "Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature\n## Summary\n\nA number of vulnerabilities have been found in `cosign verify-blob`, where Cosign would successfully verify an artifact when verification should have failed.\n\n## Vulnerability 1: Bundle mismatch causes invalid verification.\n\n### Summary\nA cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature.\n\n### Details\nCosign supports \"bundles\" which intend to allow offline verification of the signature and rekor inclusion. By using the --bundle flag in cosign sign-blob, cosign will create a JSON file called a \"bundle\". These bundles include three fields: base64Signature, cert, and rekorBundle. The desired behavior is that the verification of these bundles would:\n\n- verify the provided blob using the included signature and certificate\n- verify the rekorBundle SET\n- verify the rekorBundle payload references the given artifact.\n\nIt appears that step three is not being performed, allowing \"any old rekorBundle\" to pass validation, even if the rekorBundle payload does not reference the provided blob or the certificate and signature in the rekorBundle do not match those at the top level.\n\n### Steps to reproduce\nEnable keyless signing:\n\n```\nexport COSIGN_EXPERIMENTAL=1\n```\nCreate two random blobs:\n```\ndd bs=1 count=50 </dev/urandom >blob1\ndd bs=1 count=50 </dev/urandom >blob2\n```\nSign each blob:\n```\ncosign sign-blob blob1 --bundle bundle1\ncosign sign-blob blob2 --bundle bundle2\n```\nCreate a falsified bundle including the base64Signature and cert fields from bundle1 and the rekorBundle from bundle2:\n```\njq --slurpfile bundle2 bundle2 '.rekorBundle = $bundle2[0].rekorBundle' bundle1 > invalidBundle\n```\nNow, the falsified bundle can be used to verify blob1:\n```\n$ cosign verify-blob blob1 --bundle invalidBundle\ntlog entry verified offline\nVerified OK\n```\n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workaround\n\nIf you extract the signature and certificate from the `bundle`, you may use it for verification as follows and avoid using an invalid bundle:\n```\n$ cosign verify-blob blob1 --signature $(jq -r '.base64Signature' bundle1) --certificate $(jq -r '.cert' bundle1)\n```\n\nNote that this will make a network call to Rekor to fetch the Rekor entry. However, you may then be subject to Vulnerability 4.\n\n## Vulnerability 2: Certificate Identities are not checked in some cases\n\n### Summary \n\nWhen providing identity flags, the email and issuer of a certificate is not checked when verifying a Rekor bundle, and the GitHub Actions identity is never checked.\n\n### Details\n\nUsers who provide an offline Rekor bundle (`--bundle`) when verifying a blob using `cosign verify-blob` and include flags that check identity such as `--certificate-email` and `--certificate-oidc-issuer` are impacted. Additionally, users who provide the GitHub Actions verification flags such as `--certificate-github-workflow-name` when running `cosign verify-blob` without a bundle, key reference, or certificate are impacted. \n\nWhen providing these flags, Cosign ignored their values. If a certificate's identity did not match the provided flags, Cosign would still successfully verify the blob.\n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workarounds\n\nThere are no workarounds, users should update.\n\n## Vulnerability 3: Invalid Rekor bundle without the experimental flag will result in successful verification\n\n### Summary\n\nProviding an invalid Rekor bundle without the experimental flag results in a successful verification.\n\n### Details\n\nUsers who provide an offline Rekor bundle (`--bundle`) that was invalid (invalid signed entry timestamp, expired certificate, or malformed) when verifying a blob with `cosign verify-blob` and do not set the `COSIGN_EXPERIMENTAL=1` flag are impacted.\n\nWhen an invalid bundle was provided, Cosign would fallback to checking Rekor log inclusion by requesting proof of inclusion from the log. However, without the `COSIGN_EXPERIMENTAL` flag, Cosign would exit early and successfully verify the blob. \n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workarounds\n\nThere are no workarounds, users should update.\n\n## Vulnerability 4: Invalid transparency log entry will result in successful verification\n\n### Summary\n\nAn invalid transparency log entry will result in immediate success for verification.\n\n### Details\n\nUsers who provide a signature and certificate to `verify-blob` will fetch the associated Rekor entry for verification. If the returned entry was invalid (invalid signed entry timestamp, invalid inclusion proof, malformed entry with missing verification), then `cosign` [exits](https://github.com/sigstore/cosign/blob/42c6e2a6dd9d92d19077c8e6b7d66d155a5ea28c/cmd/cosign/cli/verify/verify_blob.go#L357) early and succeeds unconditionally.\n\n### Patches\n\nUsers should update to the latest version of Cosign, `1.12.0`.\n\n### Workarounds\n\nThere are no workarounds, users should update.\n\n\n## For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [cosign](https://github.com/sigstore/cosign)\n* Send us a message on [Slack](https://sigstore.slack.com/).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36056.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36056.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36056", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19603", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19709", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19696", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19694", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19719", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19776", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19821", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19817", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19686", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19959", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19904", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19766", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-36056" }, { "reference_url": "https://github.com/sigstore/cosign", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sigstore/cosign" }, { "reference_url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:44:20Z/" } ], "url": "https://github.com/sigstore/cosign/commit/80b79ed8b4d28ccbce3d279fd273606b5cddcc25" }, { "reference_url": "https://github.com/sigstore/cosign/releases/tag/v1.12.0", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/sigstore/cosign/releases/tag/v1.12.0" }, { "reference_url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-22T15:44:20Z/" } ], "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-8gw7-4j42-w388" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36056" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820", "reference_id": "2128820", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128820" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:8827", "reference_id": "RHSA-2022:8827", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:8827" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1048309?format=api", "purl": "pkg:apk/alpine/cosign@1.12.1-r0?arch=s390x&distroversion=v3.19&reponame=community", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/cosign@1.12.1-r0%3Farch=s390x&distroversion=v3.19&reponame=community" } ], "aliases": [ "CVE-2022-36056", "GHSA-8gw7-4j42-w388" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mn6g-jbm6-8ye9" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:apk/alpine/cosign@1.12.1-r0%3Farch=s390x&distroversion=v3.19&reponame=community" }