Untriaged
Permalink
CVE-2026-24408
0.0 NONE
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): HIGH
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): NONE
sigstore has CSRF possibility in OIDC authentication during signing
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.
References
- https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 x_refsource_MISC
- https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr x_refsource_CONFIRM
- https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa x_refsource_MISC
- https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr x_refsource_CONFIRM
- https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa x_refsource_MISC
- https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 x_refsource_MISC
- https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa x_refsource_MISC
- https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 x_refsource_MISC
- https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr x_refsource_CONFIRM
- https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr x_refsource_CONFIRM
- https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa x_refsource_MISC
- https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 x_refsource_MISC
Affected products
sigstore-python
- ==< 4.2.0
Matching in nixpkgs
pkgs.python312Packages.sigstore
Codesigning tool for Python packages
pkgs.python313Packages.sigstore
Codesigning tool for Python packages
Package maintainers
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>