CVE-2024-45395: 
Wolfi vulnerability analysis and mitigation

sigstore-go, a Go library for Sigstore signing and verification, contains a denial of service vulnerability (CVE-2024-45395) in versions prior to 0.6.1. The vulnerability was discovered and disclosed on September 4, 2024. The vulnerability affects the verification functionality when processing Sigstore Bundles containing large amounts of verifiable data (GitHub Advisory).

The vulnerability exists in the verification functions within the github.com/sigstore/sigstore-go/pkg/verify package. The issue stems from unbounded loops processing untrusted input when verifying three types of data: DSSE envelope verification, transparency log entries, and RFC 3161 timestamps. The verification of these data structures is computationally expensive and can be exploited to consume excessive CPU resources. This type of vulnerability is classified as an 'Endless data attack' in TUF's security model. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L (GitHub Advisory, NVD).

When exploited, this vulnerability can lead to a denial of service attack by causing verification processes to fail to complete, disrupting services that rely on sigstore-go for verification. The attack can be triggered by providing a maliciously crafted Sigstore Bundle containing large amounts of verifiable data (GitHub Advisory).

The vulnerability has been fixed in sigstore-go version 0.6.1, which introduces hard limits on the number of verifiable data structures that can be processed in a bundle. The limits are: 32 signed transparency log entries, 32 RFC 3161 timestamps, 1024 attestation subjects, and 32 digests per attestation subject. For users unable to upgrade immediately, it is recommended to add manual bundle validation to enforce similar limits before calling sigstore-go's verification functions (GitHub Advisory).