Skip to main content

Sigstore

1 CVEs product

Monthly

CVE-2026-31830 Ruby HIGH PATCH This Week

Sigstore-ruby versions before 0.2.3 fail to properly validate artifact digests when verifying DSSE bundles with in-toto attestations, causing the library to incorrectly return successful verification even when the artifact does not match the attested subject. This allows attackers to bypass cryptographic verification controls and accept mismatched or tampered artifacts as valid. Organizations using sigstore-ruby for supply chain verification should upgrade to version 0.2.3 immediately, though no patch is currently available for other affected projects.

Information Disclosure Sigstore
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Sigstore-ruby versions before 0.2.3 fail to properly validate artifact digests when verifying DSSE bundles with in-toto attestations, causing the library to incorrectly return successful verification even when the artifact does not match the attested subject. This allows attackers to bypass cryptographic verification controls and accept mismatched or tampered artifacts as valid. Organizations using sigstore-ruby for supply chain verification should upgrade to version 0.2.3 immediately, though no patch is currently available for other affected projects.

Information Disclosure Sigstore
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy