Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/gitsign@0.13.0-2?distro=trixie
Typedeb
Namespacedebian
Namegitsign
Version0.13.0-2
Qualifiers
distro trixie
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.14.0-1
Latest_non_vulnerable_version0.16.0-1
Affected_by_vulnerabilities
0
url VCID-3yev-7ahp-gbb5
vulnerability_id VCID-3yev-7ahp-gbb5
summary Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees: git-core uses the first, go-git uses the second. A signature crafted over the go-git-normalized form (second tree) passes gitsign verify while git-core resolves the commit to a completely different tree. This breaks the invariant that a verified signature, the commit semantics git-core presents to users, and the object hash logged in Rekor all refer to the same content. This vulnerability is fixed in 0.16.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44309
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02121
published_at 2026-06-05T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02097
published_at 2026-06-09T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.02104
published_at 2026-06-08T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02116
published_at 2026-06-07T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.02127
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44309
1
reference_url https://github.com/sigstore/gitsign
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sigstore/gitsign
2
reference_url https://github.com/sigstore/gitsign/security/advisories/GHSA-7rmh-48mx-2vwc
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T17:43:27Z/
url https://github.com/sigstore/gitsign/security/advisories/GHSA-7rmh-48mx-2vwc
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44309
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44309
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136789
reference_id 1136789
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136789
fixed_packages
0
url pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
purl pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.16.0-1%3Fdistro=trixie
aliases CVE-2026-44309, GHSA-7rmh-48mx-2vwc
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3yev-7ahp-gbb5
1
url VCID-sbw6-2kfu-muha
vulnerability_id VCID-sbw6-2kfu-muha
summary Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences certs[0] after sd.GetCertificates() without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; GetCertificates() returns an empty slice with no error, causing an immediate index-out-of-range panic. On the gitsign --verify code path (the GPG-compatible mode invoked by git verify-commit), the panic is silently recovered by internal/io/streams.go's Wrap() function, which returns nil instead of an error. main.go then exits with code 0, causing exit-code-only verification callers to interpret the failed verification as success. This vulnerability is fixed in 0.15.0.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44310
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08382
published_at 2026-06-07T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08355
published_at 2026-06-09T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.08324
published_at 2026-06-08T12:55:00Z
3
value 0.00028
scoring_system epss
scoring_elements 0.08389
published_at 2026-06-05T12:55:00Z
4
value 0.00028
scoring_system epss
scoring_elements 0.084
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44310
1
reference_url https://github.com/sigstore/gitsign
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sigstore/gitsign
2
reference_url https://github.com/sigstore/gitsign/security/advisories/GHSA-7c37-gx6w-8vc5
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-15T16:44:32Z/
url https://github.com/sigstore/gitsign/security/advisories/GHSA-7c37-gx6w-8vc5
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-44310
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-44310
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136789
reference_id 1136789
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136789
fixed_packages
0
url pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
purl pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.16.0-1%3Fdistro=trixie
aliases CVE-2026-44310, GHSA-7c37-gx6w-8vc5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sbw6-2kfu-muha
Fixing_vulnerabilities
0
url VCID-wxqp-vxuw-pucj
vulnerability_id VCID-wxqp-vxuw-pucj
summary Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-47122
reference_id
reference_type
scores
0
value 0.00099
scoring_system epss
scoring_elements 0.27098
published_at 2026-06-09T12:55:00Z
1
value 0.00099
scoring_system epss
scoring_elements 0.2709
published_at 2026-06-08T12:55:00Z
2
value 0.00099
scoring_system epss
scoring_elements 0.27139
published_at 2026-06-07T12:55:00Z
3
value 0.00099
scoring_system epss
scoring_elements 0.27178
published_at 2026-06-06T12:55:00Z
4
value 0.00099
scoring_system epss
scoring_elements 0.27231
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-47122
1
reference_url https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/
url https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
2
reference_url https://github.com/sigstore/gitsign
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/sigstore/gitsign
3
reference_url https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/
url https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236
4
reference_url https://github.com/sigstore/gitsign/pull/399
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/
url https://github.com/sigstore/gitsign/pull/399
5
reference_url https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-03T15:14:35Z/
url https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-47122
reference_id
reference_type
scores
0
value 4.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-47122
fixed_packages
0
url pkg:deb/debian/gitsign@0?distro=trixie
purl pkg:deb/debian/gitsign@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0%3Fdistro=trixie
1
url pkg:deb/debian/gitsign@0.13.0-2?distro=trixie
purl pkg:deb/debian/gitsign@0.13.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3yev-7ahp-gbb5
1
vulnerability VCID-sbw6-2kfu-muha
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-2%3Fdistro=trixie
2
url pkg:deb/debian/gitsign@0.13.0-4?distro=trixie
purl pkg:deb/debian/gitsign@0.13.0-4?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3yev-7ahp-gbb5
1
vulnerability VCID-sbw6-2kfu-muha
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-4%3Fdistro=trixie
3
url pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
purl pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.14.0-1%3Fdistro=trixie
4
url pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
purl pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.16.0-1%3Fdistro=trixie
aliases CVE-2023-47122, GHSA-xvrc-2wvh-49vc
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wxqp-vxuw-pucj
1
url VCID-xhmd-g5v7-3bgm
vulnerability_id VCID-xhmd-g5v7-3bgm
summary Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. gitsign may select the wrong Rekor entry to use during online verification when multiple entries are returned by the log. gitsign uses Rekor's search API to fetch entries that apply to a signature being verified. The parameters used for the search are the public key and the payload. The search API returns entries that match either condition rather than both. When gitsign's credential cache is used, there can be multiple entries that use the same ephemeral keypair / signing certificate. As gitsign assumes both conditions are matched by Rekor, there is no additional validation that the entry's hash matches the payload being verified, meaning that the wrong entry can be used to successfully pass verification. Impact is minimal as while gitsign does not match the payload against the entry, it does ensure that the certificate matches. This would need to be exploited during the certificate validity window (10 minutes) by the key holder.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51746.json
reference_id
reference_type
scores
0
value 2.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-51746.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-51746
reference_id
reference_type
scores
0
value 0.00058
scoring_system epss
scoring_elements 0.1826
published_at 2026-06-09T12:55:00Z
1
value 0.00058
scoring_system epss
scoring_elements 0.1835
published_at 2026-06-05T12:55:00Z
2
value 0.00058
scoring_system epss
scoring_elements 0.18353
published_at 2026-06-06T12:55:00Z
3
value 0.00058
scoring_system epss
scoring_elements 0.18316
published_at 2026-06-07T12:55:00Z
4
value 0.00058
scoring_system epss
scoring_elements 0.1824
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-51746
2
reference_url https://github.com/sigstore/gitsign
reference_id
reference_type
scores
0
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/sigstore/gitsign
3
reference_url https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx
reference_id
reference_type
scores
0
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-05T20:18:07Z/
url https://github.com/sigstore/gitsign/security/advisories/GHSA-8pmp-678w-c8xx
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-51746
reference_id
reference_type
scores
0
value 1.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-51746
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2323965
reference_id 2323965
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2323965
fixed_packages
0
url pkg:deb/debian/gitsign@0?distro=trixie
purl pkg:deb/debian/gitsign@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0%3Fdistro=trixie
1
url pkg:deb/debian/gitsign@0.13.0-2?distro=trixie
purl pkg:deb/debian/gitsign@0.13.0-2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3yev-7ahp-gbb5
1
vulnerability VCID-sbw6-2kfu-muha
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-2%3Fdistro=trixie
2
url pkg:deb/debian/gitsign@0.13.0-4?distro=trixie
purl pkg:deb/debian/gitsign@0.13.0-4?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3yev-7ahp-gbb5
1
vulnerability VCID-sbw6-2kfu-muha
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-4%3Fdistro=trixie
3
url pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
purl pkg:deb/debian/gitsign@0.14.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.14.0-1%3Fdistro=trixie
4
url pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
purl pkg:deb/debian/gitsign@0.16.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.16.0-1%3Fdistro=trixie
aliases CVE-2024-51746, GHSA-8pmp-678w-c8xx
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xhmd-g5v7-3bgm
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/gitsign@0.13.0-2%3Fdistro=trixie