CVE-2023-47122

Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.

Description

Gitsign is software for keyless Git signing using Sigstore. In versions of gitsign starting with 0.6.0 and prior to 0.8.0, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise the default public good instance (`rekor.sigstore.dev`) - anyone using this instance is unaffected. This issue was fixed in v0.8.0. No known workarounds are available.

Category

4.2
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.09%
Vendor Advisory github.com
Affected: sigstore gitsign
Published at:
Updated at:

References

Link Tags
https://github.com/sigstore/gitsign/security/advisories/GHSA-xvrc-2wvh-49vc patch vendor advisory
https://github.com/sigstore/gitsign/pull/399 patch
https://github.com/sigstore/gitsign/commit/cd66ccb03c86a3600955f0c15f6bfeb75f697236 patch
https://docs.sigstore.dev/about/threat-model/#sigstore-threat-model product

Frequently Asked Questions

What is the severity of CVE-2023-47122?
CVE-2023-47122 has been scored as a medium severity vulnerability.
How to fix CVE-2023-47122?
To fix CVE-2023-47122, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-47122 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-47122 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-47122?
CVE-2023-47122 affects sigstore gitsign.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.