VulnerableCode Package Details - pkg:golang/github.com/sigstore/cosign@1.10.1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:golang/github.com/sigstore/cosign@1.10.1

purl	pkg:golang/github.com/sigstore/cosign@1.10.1

Vulnerabilities affecting this package (0)

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-9yxy-m6af-7bdd	cosign's `cosign verify-attestaton --type` can report a false positive if any attestation exists `cosign verify-attestation` used with the `--type` flag will report a false positive verification when: - There is at least one attestation with a valid signature - There are NO attestations of the type being verified (--type defaults to "custom") This can happen when signing with a standard keypair and with "keyless" signing with Fulcio. Users should upgrade to cosign version 1.10.1 or greater for a patch. Currently the only workaround is to upgrade.	CVE-2022-35929 GHSA-vjxv-45g9-9296

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:06:47.223677+00:00	GithubOSV Importer	Fixing	VCID-9yxy-m6af-7bdd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-vjxv-45g9-9296/GHSA-vjxv-45g9-9296.json	38.0.0