Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/gitsign@0.14.0-1?distro=trixie

Type deb

Namespace debian

Name gitsign

Version 0.14.0-1

Qualifiers

distro	trixie

Subpath

Is_vulnerable false

Next_non_vulnerable_version 0.16.0-1

Latest_non_vulnerable_version 0.16.0-1

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-wxqp-vxuw-pucj

vulnerability_id VCID-wxqp-vxuw-pucj

summary Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-47122

reference_id

reference_type

scores

value	0.00099
scoring_system	epss
scoring_elements	0.27098
published_at	2026-06-09T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.2709
published_at	2026-06-08T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27139
published_at	2026-06-07T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27178
published_at	2026-06-06T12:55:00Z

value	0.00099
scoring_system	epss
scoring_elements	0.27231
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-47122

reference_url

https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/

url

https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model

reference_url

https://github.com/sigstore/gitsign

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sigstore/gitsign

reference_url

https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/

url

https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236

reference_url

https://github.com/sigstore/gitsign/pull/399

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/

url

https://github.com/sigstore/gitsign/pull/399

reference_url

https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/

url

https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-47122

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-47122

fixed_packages

url	pkg:deb/debian/gitsign@0?distro=trixie
purl	pkg:deb/debian/gitsign@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0%3Fdistro=trixie

url pkg:deb/debian/gitsign@0.13.0-2?distro=trixie

purl pkg:deb/debian/gitsign@0.13.0-2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3yev-7ahp-gbb5

vulnerability	VCID-sbw6-2kfu-muha

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-2%3Fdistro=trixie

url pkg:deb/debian/gitsign@0.13.0-4?distro=trixie

purl pkg:deb/debian/gitsign@0.13.0-4?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3yev-7ahp-gbb5

vulnerability	VCID-sbw6-2kfu-muha

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-4%3Fdistro=trixie

url	pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
purl	pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.14.0-1%3Fdistro=trixie

url	pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
purl	pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.16.0-1%3Fdistro=trixie

aliases CVE-2023-47122, GHSA-xvrc-2wvh-49vc

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wxqp-vxuw-pucj

url VCID-xhmd-g5v7-3bgm

vulnerability_id VCID-xhmd-g5v7-3bgm

summary Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51746.json

reference_id

reference_type

scores

value	2.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51746.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-51746

reference_id

reference_type

scores

value	0.00058
scoring_system	epss
scoring_elements	0.1826
published_at	2026-06-09T12:55:00Z

value	0.00058
scoring_system	epss
scoring_elements	0.1835
published_at	2026-06-05T12:55:00Z

value	0.00058
scoring_system	epss
scoring_elements	0.18353
published_at	2026-06-06T12:55:00Z

value	0.00058
scoring_system	epss
scoring_elements	0.18316
published_at	2026-06-07T12:55:00Z

value	0.00058
scoring_system	epss
scoring_elements	0.1824
published_at	2026-06-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-51746

reference_url

https://github.com/sigstore/gitsign

reference_id

reference_type

scores

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/sigstore/gitsign

reference_url

https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx

reference_id

reference_type

scores

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-05T20:18:07Z/

url

https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-51746

reference_id

reference_type

scores

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-51746

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2323965
reference_id	2323965
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2323965

fixed_packages

url	pkg:deb/debian/gitsign@0?distro=trixie
purl	pkg:deb/debian/gitsign@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0%3Fdistro=trixie

url pkg:deb/debian/gitsign@0.13.0-2?distro=trixie

purl pkg:deb/debian/gitsign@0.13.0-2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3yev-7ahp-gbb5

vulnerability	VCID-sbw6-2kfu-muha

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-2%3Fdistro=trixie

url pkg:deb/debian/gitsign@0.13.0-4?distro=trixie

purl pkg:deb/debian/gitsign@0.13.0-4?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3yev-7ahp-gbb5

vulnerability	VCID-sbw6-2kfu-muha

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-4%3Fdistro=trixie

url	pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
purl	pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.14.0-1%3Fdistro=trixie

url	pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
purl	pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.16.0-1%3Fdistro=trixie

aliases CVE-2024-51746, GHSA-8pmp-678w-c8xx

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xhmd-g5v7-3bgm

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.14.0-1%3Fdistro=trixie

Package Instance