CVE-2023-47122: 
NixOS vulnerability analysis and mitigation

Gitsign, a software for keyless Git signing using Sigstore, contained a vulnerability in versions 0.6.0 through 0.8.0 where Rekor public keys were fetched via the Rekor API instead of through the local TUF client. This vulnerability was identified as CVE-2023-47122 and was discovered on November 10, 2023. The vulnerability affected the verification process of cryptographic signatures (GitHub Advisory).

The vulnerability stems from an improper verification of cryptographic signatures (CWE-347). If the upstream Rekor server was compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. The vulnerability has a CVSS v3.1 base score of 5.3 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) according to NVD, while GitHub rates it as 4.2 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N) (NVD).

The vulnerability could allow attackers to trick gitsign clients into trusting incorrect signatures if the upstream Rekor server was compromised. However, there is no known compromise of the default public good instance (rekor.sigstore.dev), meaning users of this instance were likely unaffected (GitHub Advisory).

The vulnerability was fixed in version 0.8.0 of gitsign. The fix involved changing how Rekor public keys are fetched, making them come through the local TUF client instead of the Rekor API. No known workarounds were available for affected versions (GitHub Advisory).