CVE-2024-51746: 
Wolfi vulnerability analysis and mitigation

Gitsign, a keyless Sigstore signing tool for Git commits with GitHub/OIDC identity, contains a vulnerability identified as CVE-2024-51746. The issue was discovered and disclosed in November 2024, affecting versions prior to 0.11.0. The vulnerability relates to the incorrect selection of Rekor entries during online verification when multiple entries are returned by the log (GitHub Advisory).

The vulnerability stems from gitsign's interaction with Rekor's search API when fetching entries for signature verification. The search API is queried using two parameters: the public key and the payload. However, the API returns entries matching either condition rather than requiring both conditions to match. When gitsign's credential cache is used, multiple entries can exist using the same ephemeral keypair/signing certificate. The issue arises because gitsign assumes both conditions are matched by Rekor but doesn't validate that the entry's hash matches the payload being verified. This can result in the wrong entry being used to pass verification. The vulnerability has been assigned a CVSS v4.0 score of 1.8 (LOW) with the vector: CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N (NVD).

The impact of this vulnerability is considered minimal. While gitsign fails to match the payload against the entry, it still ensures that the certificate matches. Exploitation would need to occur during the certificate validity window (10 minutes) and could only be performed by the key holder (GitHub Advisory).

The vulnerability has been patched in gitsign version 0.11.0. Users are recommended to upgrade to this version or later to address the issue (GitHub Advisory).