VDB
GHSA-R2XV-VPR2-42M9
GHSA-R2XV-VPR2-42M9
PUBLISHED
CVSS 9.300000190734863 CRITICAL
slsa-verifier vulnerable to mproper validation of npm's publish attestations
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | slsa-framework/slsa-verifier/v2 | 0, 0, 0 |
| github.com | slsa-framework/slsa-verifier | 0 |
| github.com | slsa-framework/slsa-verifier/v2 | 0 |
| Go | github.com/slsa-framework/slsa-verifier | 0 |
| Go | github.com/slsa-framework/slsa-verifier/v2 | 0 |
| github.com | slsa-framework/slsa-verifier | 0, 0, 0 |
Timeline
- Nov 8, 2023 CVE Published
- Nov 9, 2023 CVE Updated
References
- https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9 url
- https://github.com/npm/attestation/tree/main/specs/publish/v0.1 url
- https://github.com/slsa-framework/slsa-verifier product
- https://openssf.slack.com/archives/C03PDLFET5W/p1695330038983179 url
- GitHub Advisory GHSA-r2xv-vpr2-42m9 vendor-advisory
- https://github.com/slsa-framework/slsa-verifier/pull/705 url
- https://github.com/slsa-framework/slsa-verifier/commit/f6ae402f458b347d2c414f1d053fc1f8257888d0 url