github.com/sigstore/rekor

Go4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting github.com/sigstore/rekorpage 1 of 1

CVE-2023-30551HIGHCVSS 7.5EG 7.5✓ Fixed in 1.1.1
2023-05-08
Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verificat…
CVE-2023-33199MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.2.0
2023-05-26
Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process.…
CVE-2026-23831MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.5.0
2026-01-22
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereferenc…
CVE-2026-24117MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.5.0
2026-01-22
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF…

Check whether github.com/sigstore/rekor is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for github.com/sigstore/rekor CVEs against the assets you own.

Start Free Scan →