{"id":"GO-2023-2188","summary":"slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier","details":"slsa-verifier vulnerable to mproper validation of npm's publish attestations in github.com/slsa-framework/slsa-verifier","aliases":["GHSA-r2xv-vpr2-42m9"],"modified":"2026-03-17T04:49:04.430567Z","published":"2024-08-21T14:30:22Z","related":["CGA-m4vv-q7g8-qp7m"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2023-2188","review_status":"UNREVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9"},{"type":"FIX","url":"https://github.com/slsa-framework/slsa-verifier/commit/f6ae402f458b347d2c414f1d053fc1f8257888d0"},{"type":"FIX","url":"https://github.com/slsa-framework/slsa-verifier/pull/705"},{"type":"WEB","url":"https://github.com/npm/attestation/tree/main/specs/publish/v0.1"},{"type":"WEB","url":"https://openssf.slack.com/archives/C03PDLFET5W/p1695330038983179"}],"affected":[{"package":{"name":"github.com/slsa-framework/slsa-verifier","ecosystem":"Go","purl":"pkg:golang/github.com/slsa-framework/slsa-verifier"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2188.json"}},{"package":{"name":"github.com/slsa-framework/slsa-verifier/v2","ecosystem":"Go","purl":"pkg:golang/github.com/slsa-framework/slsa-verifier/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.4.1-rc.0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2023-2188.json"}}],"schema_version":"1.7.5"}