sigstore
PyPI2 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting sigstorepage 1 of 1
- CVE-2024-55655LOWCVSS 2.7EG 2.7✓ Fixed in 3.6.02024-12-10
vulnerable: 2.0.0 ... 3.5.3 (16 versions)
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles d…
- CVE-2026-24408NONECVSS 0.0EG 0.0✓ Fixed in 4.2.02026-01-26
vulnerable: 0.0.1rc1 ... 4.1.0 (62 versions)
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state"…
Check whether sigstore is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for sigstore CVEs against the assets you own.
Start Free Scan →