CVE-2026-24408
sigstore CSRF possibility in OIDC authentication during signing
描述
### Summary The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. ### Details `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Fix should be fairly trivial. ### Impact This should be low impact: A man-in-the middle attacker could trick a sigstore-python user into signing something with an identity controlled by the attacker (by returning the response to an authentication request they created). This would be quite confusing but not dangerous.
如何修補 CVE-2026-24408
要修補 CVE-2026-24408,請將受影響套件升級到下列已修補版本。
- —升級至 4.2.0 或更新版本
CVE-2026-24408 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 4.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | NONE0.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N |