Skip to main content

Sigstore CVE-2026-31830

HIGH
Unchecked Return Value (CWE-252)
2026-03-10 security-advisories@github.com GHSA-mhg6-2q2v-9h2c
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 10, 2026 - 22:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed in 0.2.3.

AnalysisAI

Sigstore-ruby versions before 0.2.3 fail to properly validate artifact digests when verifying DSSE bundles with in-toto attestations, causing the library to incorrectly return successful verification even when the artifact does not match the attested subject. This allows attackers to bypass cryptographic verification controls and accept mismatched or tampered artifacts as valid. Organizations using sigstore-ruby for supply chain verification should upgrade to version 0.2.3 immediately, though no patch is currently available for other affected projects.

Technical ContextAI

This vulnerability (CWE-252: Unchecked Return Value) affects sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project.. sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed

RemediationAI

Fixed in version 0.2.3.. Restrict network access to the affected service where possible.

Share

CVE-2026-31830 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy