Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-24408
0.0 NONE
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
sigstore has CSRF possibility in OIDC authentication during signing
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.
References
Affected products
sigstore-python
- ==< 4.2.0
Matching in nixpkgs
pkgs.python312Packages.sigstore
Codesigning tool for Python packages
pkgs.python313Packages.sigstore
Codesigning tool for Python packages
Package maintainers
-
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>