Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/sigstore@2.0.1

Type pypi

Namespace

Name sigstore

Version 2.0.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 4.2.0

Latest_non_vulnerable_version 4.2.0

Affected_by_vulnerabilities

url VCID-9281-a23g-t3af

vulnerability_id VCID-9281-a23g-t3af

summary

sigstore CSRF possibility in OIDC authentication during signing
The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-24408

reference_id

reference_type

scores

value	7e-05
scoring_system	epss
scoring_elements	0.00532
published_at	2026-06-07T12:55:00Z

value	7e-05
scoring_system	epss
scoring_elements	0.00533
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-24408

reference_url

https://github.com/sigstore/sigstore-python

reference_id

reference_type

scores

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/sigstore/sigstore-python

reference_url

https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa

reference_id

reference_type

scores

value	0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:35:04Z/

url

https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa

reference_url

https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0

reference_id

reference_type

scores

value	0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:35:04Z/

url

https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-24408

reference_id

CVE-2026-24408

reference_type

scores

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-24408

reference_url

https://github.com/advisories/GHSA-hm8f-75xx-w2vr

reference_id

GHSA-hm8f-75xx-w2vr

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hm8f-75xx-w2vr

reference_url

https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr

reference_id

GHSA-hm8f-75xx-w2vr

reference_type

scores

value	0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	0.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-27T21:35:04Z/

url

https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr

fixed_packages

url	pkg:pypi/sigstore@4.2.0
purl	pkg:pypi/sigstore@4.2.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/sigstore@4.2.0

aliases CVE-2026-24408, GHSA-hm8f-75xx-w2vr

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9281-a23g-t3af

url VCID-em8d-uu42-h7dx

vulnerability_id VCID-em8d-uu42-h7dx

summary

sigstore has insufficient validation of integration timestamp during verification
Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present.

This does not affect "v1" bundles, as the "v1" bundle format always requires an inclusion promise.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-55655

reference_id

reference_type

scores

value	0.00096
scoring_system	epss
scoring_elements	0.26593
published_at	2026-06-05T12:55:00Z

value	0.00096
scoring_system	epss
scoring_elements	0.26541
published_at	2026-06-07T12:55:00Z

value	0.00096
scoring_system	epss
scoring_elements	0.26583
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-55655

reference_url

https://github.com/sigstore/sigstore-python

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/sigstore/sigstore-python

reference_url

https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:03:32Z/

url

https://github.com/sigstore/sigstore-python/commit/300b502ae99ebfaace124f1f4e422a6a669369cf

reference_url

https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:03:32Z/

url

https://github.com/sigstore/sigstore-python/releases/tag/v3.6.0

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-55655

reference_id

CVE-2024-55655

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-55655

reference_url	https://github.com/advisories/GHSA-hhfg-fwrw-87w7
reference_id	GHSA-hhfg-fwrw-87w7
reference_type
scores
url	https://github.com/advisories/GHSA-hhfg-fwrw-87w7

reference_url

https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7

reference_id

GHSA-hhfg-fwrw-87w7

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:03:32Z/

url

https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hhfg-fwrw-87w7

fixed_packages

url pkg:pypi/sigstore@3.6.0

purl pkg:pypi/sigstore@3.6.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9281-a23g-t3af

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/sigstore@3.6.0

aliases CVE-2024-55655, GHSA-hhfg-fwrw-87w7

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-em8d-uu42-h7dx

Fixing_vulnerabilities

Risk_score 1.4

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/sigstore@2.0.1

Package Instance