{"id":"CVE-2022-35929","summary":"False positive signature verification in cosign","details":"cosign is a container signing and verification utility. In versions prior to 1.10.1 cosign can report a false positive if any attestation exists. `cosign verify-attestation` used with the `--type` flag will report a false positive verification when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to \"custom\"). This can happen when signing with a standard keypair and with \"keyless\" signing with Fulcio. This vulnerability can be reproduced with the `distroless.dev/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2` image. This image has a `vuln` attestation but not an `spdx` attestation. However, if you run `cosign verify-attestation --type=spdx` on this image, it incorrectly succeeds. This issue has been addressed in version 1.10.1 of cosign. Users are advised to upgrade. There are no known workarounds for this issue.","aliases":["BIT-cosign-2022-35929","GHSA-vjxv-45g9-9296","GO-2022-0758"],"modified":"2026-04-20T04:06:10.130683Z","published":"2022-08-04T18:45:14Z","related":["SUSE-SU-2022:2877-1","openSUSE-SU-2024:12240-1"],"database_specific":{"cwe_ids":["CWE-347"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35929.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/35xxx/CVE-2022-35929.json"},{"type":"ADVISORY","url":"https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35929"},{"type":"FIX","url":"https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sigstore/cosign","events":[{"introduced":"0"},{"fixed":"a39ce91fadc582e0efce3321744a79ccd3c8b39c"}]}],"versions":["cosigned-v0.0.1-dev","cosigned-v0.0.2-dev","cosigned-v0.0.3-dev","v0.1.0","v0.2.0","v0.3.0","v0.3.1","v0.4.0","v0.5.0","v0.6.0","v1.0.0","v1.0.1","v1.1.0","v1.10.0","v1.10.0-rc.1","v1.2.0","v1.2.1","v1.3.0","v1.3.1","v1.4.0","v1.4.1","v1.5.0","v1.5.1","v1.6.0","v1.7.0","v1.7.1","v1.7.2","v1.8.0","v1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-35929.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}