Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-8k12-ju2w-cygz
Summary
Cosign's verify-blob-attestation reports false positive when payload parsing fails
## Description

`cosign verify-blob-attestation` may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely.

## Impact

When `cosign verify-blob-attestation` is used without `--check-claims` set to `true`, an attestation that has a valid signature but a malformed or unparsable payload would be incorrectly validated. Additionally, systems relying on `--type <predicate type>` to reject attestations with mismatched types would be lead to trust the unexpected attestation type.

## Patches

v3.0.6, v2.6.3

## Workarounds

Always set `--check-claims=true` for attestation verification.
Aliases
0
alias CVE-2026-39395
1
alias GHSA-w6c6-c85g-mmv6
Fixed_packages
0
url pkg:deb/debian/cosign@2.6.2-1
purl pkg:deb/debian/cosign@2.6.2-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8k12-ju2w-cygz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cosign@2.6.2-1
1
url pkg:deb/debian/cosign@2.6.3-1
purl pkg:deb/debian/cosign@2.6.3-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cosign@2.6.3-1
2
url pkg:deb/debian/cosign@2.6.3-1?distro=trixie
purl pkg:deb/debian/cosign@2.6.3-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cosign@2.6.3-1%3Fdistro=trixie
3
url pkg:deb/debian/golang-github-sigstore-cosign-v2@2.6.3-2?distro=sid
purl pkg:deb/debian/golang-github-sigstore-cosign-v2@2.6.3-2?distro=sid
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-sigstore-cosign-v2@2.6.3-2%3Fdistro=sid
Affected_packages
0
url pkg:deb/debian/cosign@2.5.0-2?distro=trixie
purl pkg:deb/debian/cosign@2.5.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8k12-ju2w-cygz
1
vulnerability VCID-93qu-3cgz-j7a2
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cosign@2.5.0-2%3Fdistro=trixie
1
url pkg:deb/debian/cosign@2.5.0-2
purl pkg:deb/debian/cosign@2.5.0-2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8k12-ju2w-cygz
1
vulnerability VCID-93qu-3cgz-j7a2
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cosign@2.5.0-2
2
url pkg:deb/debian/cosign@2.6.2-1?distro=trixie
purl pkg:deb/debian/cosign@2.6.2-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8k12-ju2w-cygz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cosign@2.6.2-1%3Fdistro=trixie
3
url pkg:deb/debian/cosign@2.6.2-1
purl pkg:deb/debian/cosign@2.6.2-1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8k12-ju2w-cygz
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/cosign@2.6.2-1
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39395.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-39395.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-39395
reference_id
reference_type
scores
0
value 0.00029
scoring_system epss
scoring_elements 0.08216
published_at 2026-04-12T12:55:00Z
1
value 0.00029
scoring_system epss
scoring_elements 0.08236
published_at 2026-04-11T12:55:00Z
2
value 0.00029
scoring_system epss
scoring_elements 0.08246
published_at 2026-04-09T12:55:00Z
3
value 0.00029
scoring_system epss
scoring_elements 0.08227
published_at 2026-04-08T12:55:00Z
4
value 0.00031
scoring_system epss
scoring_elements 0.08965
published_at 2026-04-13T12:55:00Z
5
value 0.00038
scoring_system epss
scoring_elements 0.11527
published_at 2026-04-21T12:55:00Z
6
value 0.00038
scoring_system epss
scoring_elements 0.11404
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-39395
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/sigstore/cosign
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sigstore/cosign
4
reference_url https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:49:08Z/
url https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-39395
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-39395
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133005
reference_id 1133005
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133005
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2456254
reference_id 2456254
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2456254
Weaknesses
0
cwe_id 754
name Improper Check for Unusual or Exceptional Conditions
description The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
1
cwe_id 347
name Improper Verification of Cryptographic Signature
description The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-8k12-ju2w-cygz