threat
engine
.sh
Back
·
··:··
Home
/
Product
/
sigstore cosign
Product
sigstore cosign
13 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-39395
< 2.6.3
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestatio
4.3
MEDIUM
CVE-2026-31830
< 0.2.3
sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigst
7.5
HIGH
CVE-2026-24122
< 3.0.5
Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate wit
3.7
LOW
CVE-2026-22703
< 2.6.2
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be
5.5
MEDIUM
CVE-2024-45395
< 0.6.1
sigstore-go, a Go library for Sigstore signing and verification, is susceptible to a denial of service attack in versions prior to
3.1
LOW
CVE-2024-29903
< 2.2.4
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software ar
4.2
MEDIUM
CVE-2024-29902
< 2.2.4
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious
4.2
MEDIUM
CVE-2023-47122
>= 0.6.0 and < 0.8.0
Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor p
4.2
MEDIUM
CVE-2023-46737
< 2.2.1
Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled regis
3.1
LOW
CVE-2022-36056
< 1.12.0
Cosign is a project under the sigstore organization which aims to make signatures invisible infrastructure. In versions prior to 1
5.5
MEDIUM
CVE-2022-35930
< 0.2.1
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyControl
7.1
HIGH
CVE-2022-35929
< 1.10.1
cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any atte
7.1
HIGH
CVE-2022-23649
< 1.5.2
Cosign provides container signing, verification, and storage in an OCI registry for the sigstore project. Prior to version 1.5.2,
3.3
LOW
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin