Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (1)
| Vulnerability |
Summary |
Aliases |
|
VCID-8k12-ju2w-cygz
|
Cosign's verify-blob-attestation reports false positive when payload parsing fails
## Description
`cosign verify-blob-attestation` may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely.
## Impact
When `cosign verify-blob-attestation` is used without `--check-claims` set to `true`, an attestation that has a valid signature but a malformed or unparsable payload would be incorrectly validated. Additionally, systems relying on `--type <predicate type>` to reject attestations with mismatched types would be lead to trust the unexpected attestation type.
## Patches
v3.0.6, v2.6.3
## Workarounds
Always set `--check-claims=true` for attestation verification.
|
CVE-2026-39395
GHSA-w6c6-c85g-mmv6
|