CVE-2022-36056: 
NixOS vulnerability analysis and mitigation

Cosign, a project under the sigstore organization aimed at making signatures invisible infrastructure, was found to contain multiple verification vulnerabilities in versions prior to 1.12.0. The vulnerability was discovered and disclosed in September 2022, affecting the cosign verify-blob functionality where it would incorrectly verify an artifact when verification should have failed (GitHub Advisory).

The vulnerability encompasses four distinct issues in the verification process: 1) A cosign bundle could be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature, 2) When providing identity flags, the email and issuer of a certificate were not checked when verifying a Rekor bundle, and the GitHub Actions identity was never checked, 3) Providing an invalid Rekor bundle without the experimental flag resulted in a successful verification, and 4) An invalid transparency log entry would result in immediate success for verification. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow an attacker to bypass signature verification mechanisms, potentially leading to the acceptance of unauthorized or malicious artifacts. This primarily affects the integrity of the verification process, as indicated by the CVSS metrics showing high impact on integrity but no impact on confidentiality or availability (GitHub Advisory).

Users are advised to upgrade to Cosign version 1.12.0 or later, which contains patches for all identified vulnerabilities. For the bundle mismatch vulnerability, a temporary workaround exists where users can extract the signature and certificate from the bundle and use it for verification directly. However, for the other vulnerabilities, no workarounds are available, and updating is the only solution (GitHub Advisory).