github.com/sigstore/cosign/v2

Go4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting github.com/sigstore/cosign/v2page 1 of 1

CVE-2023-46737LOWCVSS 3.1EG 3.1✓ Fixed in 2.2.1
2023-11-07
Cosign is a sigstore signing tool for OCI containers. Cosign is susceptible to a denial of service by an attacker controlled registry. An attacker who controls a remote registry can return a high number of attestations and/or signatures to…
CVE-2024-29902MEDIUMCVSS 4.2EG 4.2✓ Fixed in 2.2.4
2024-04-10
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, a remote image with a malicious attachment can cause denial of service of the host machine running Cosign. This can impact other services on…
CVE-2024-29903MEDIUMCVSS 4.2EG 4.2✓ Fixed in 2.2.4
2024-04-10
Cosign provides code signing and transparency for containers and binaries. Prior to version 2.2.4, maliciously-crafted software artifacts can cause denial of service of the machine running Cosign thereby impacting all services on the machi…
CVE-2026-22703MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.6.2
2026-01-10
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact'…

Check whether github.com/sigstore/cosign/v2 is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/sigstore/cosign/v2 CVEs against the assets you own.

Start Free Scan →