x/vulndb: potential Go vuln in github.com/sigstore/gitsign: CVE-2023-47122

[GoVulnBot]

CVE-2023-47122 references github.com/sigstore/gitsign, which may be a Go module.

Description:
Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (rekor.sigstore.dev) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-47122
• JSON: https://github.com/CVEProject/cvelist/tree/979cc8d3cc55522e14115c7d54afaae8d5cf4c13/2023/47xxx/CVE-2023-47122.json
• advisory: GHSA-xvrc-2wvh-49vc
• fix: Add options for Rekor client, make public key fetcher configurable. sigstore/gitsign#399
• fix: sigstore/gitsign@cd66ccb
• web: https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model
• Imported by: https://pkg.go.dev/github.com/sigstore/gitsign?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/sigstore/gitsign
      vulnerable_at: 0.8.0
      packages:
        - package: gitsign
cves:
    - CVE-2023-47122
references:
    - advisory: https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc
    - fix: https://github.com/sigstore/gitsign/pull/399
    - fix: https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236
    - web: https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model

[zpavlinovic]

Vulnerability in tool. Moreover, no packages are imported.

[gopherbot]

Change https://go.dev/cl/542555 mentions this issue: data/excluded: batch add 2 excluded reports