Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This has been fixed in v1.2.0 of Rekor. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Configurations
History
21 Nov 2024, 08:05
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/sigstore/rekor/commit/140c5add105179e5ffd9e3e114fd1b6b93aebbd4 - Patch | |
References | () https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr - Vendor Advisory |
05 Jun 2023, 14:21
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
First Time |
Linuxfoundation
Linuxfoundation rekor |
|
CPE | cpe:2.3:a:linuxfoundation:rekor:*:*:*:*:*:*:*:* | |
CWE | CWE-617 | |
References | (MISC) https://github.com/sigstore/rekor/commit/140c5add105179e5ffd9e3e114fd1b6b93aebbd4 - Patch | |
References | (MISC) https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr - Vendor Advisory |
26 May 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-26 23:15
Updated : 2024-11-21 08:05
NVD link : CVE-2023-33199
Mitre link : CVE-2023-33199
CVE.ORG link : CVE-2023-33199
JSON object : View
Products Affected
linuxfoundation
- rekor
CWE
CWE-617
Reachable Assertion