प्लेटफ़ॉर्म
python
घटक
sigstore
में ठीक किया गया
4.2.1
4.2.0
CVE-2026-24408 describes a Cross-Site Request Forgery (CSRF) vulnerability within the OAuth authentication flow of sigstore-python. This flaw allows a malicious actor to potentially trick a user into signing data with an identity controlled by the attacker. The vulnerability affects versions of sigstore-python up to and including 4.1.0, and a fix is available in version 4.2.0.
The impact of this CSRF vulnerability is considered low. An attacker would need to successfully execute a man-in-the-middle attack to exploit it. The attacker could craft a malicious request that, when triggered by a user, would cause sigstore-python to sign data using the attacker's identity instead of the user's. This could lead to unauthorized code signing or other actions performed with the user's credentials. While the technical feasibility exists, the reliance on a MITM attack limits the practical exploitability.
CVE-2026-24408 was publicly disclosed on 2026-01-26. There are currently no known public proof-of-concept exploits available. The vulnerability's CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Developers and organizations using sigstore-python for code signing and verification are at risk. Specifically, those relying on OAuth authentication for sigstore-python and using versions prior to 4.2.0 are vulnerable. Shared hosting environments where multiple users share the same sigstore-python installation could also be affected.
• python / sigstore: Inspect OAuth authentication flows for unexpected requests or parameters.
# Example: Check for unusual state parameters in OAuth requests
import re
pattern = r'state=[a-zA-Z0-9_-]+'
# Analyze network traffic or application logs for this pattern• python / sigstore: Monitor for unusual code signing activity or unexpected signatures.
# Example: Check for signatures from unknown or suspicious identities
import cryptography
# Analyze code signing certificates and signaturesdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.01% (1% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-24408 is to upgrade to sigstore-python version 4.2.0 or later, which contains the fix. If upgrading is not immediately possible, consider implementing additional security measures. User awareness training is crucial to educate users about the risks of phishing and malicious websites. Restricting OAuth flows to trusted origins can also help mitigate the risk. While not a direct fix, implementing strong authentication practices and regularly reviewing OAuth application permissions can reduce the attack surface.
Actualice la biblioteca sigstore-python a la versión 4.2.0 o superior. Esto corrige la vulnerabilidad CSRF en la autenticación OIDC durante la firma. Puede actualizar usando `pip install --upgrade sigstore`.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-24408 is a Cross-Site Request Forgery vulnerability in sigstore-python versions up to 4.1.0, allowing an attacker to potentially trick a user into signing data with an attacker-controlled identity.
You are affected if you are using sigstore-python version 4.1.0 or earlier. Upgrade to version 4.2.0 to mitigate the vulnerability.
Upgrade to sigstore-python version 4.2.0 or later. As a temporary workaround, enhance user awareness and restrict OAuth flows to trusted origins.
There are currently no known active exploits or campaigns targeting CVE-2026-24408, but the vulnerability remains present in older versions.
Refer to the official sigstore-python project's security advisories for the most up-to-date information: [https://github.com/sigstore/sigstore-python/security/advisories](https://github.com/sigstore/sigstore-python/security/advisories)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।