Skip to content

Cosign bundle can be crafted to successfully verify a blob even if the embedded rekorBundle does not reference the given signature

Moderate severity GitHub Reviewed Published Sep 14, 2022 in sigstore/cosign • Updated May 20, 2024

No closed alerts for this advisory

Give feedback on Dependabot alerts