Suggestions search

Untriaged

Filter by:

With package: rekor-server

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-24117

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 2 months, 3 weeks ago

Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.

References

https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j x_refsource_CONFIRM
https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f x_refsource_MISC
https://github.com/sigstore/rekor/releases/tag/v1.5.0 x_refsource_MISC

Affected products

rekor

==< 1.5.0

Matching in nixpkgs

pkgs.rekor-cli

CLI client for Sigstore, the Signature Transparency Log

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.4.3
- nixpkgs-25.11-darwin 1.4.3

pkgs.rekor-server

Sigstore server, the Signature Transparency Log

nixos-unstable 1.4.0
- nixpkgs-unstable 1.4.0
- nixos-unstable-small 1.4.0
nixos-25.11 1.4.3
- nixpkgs-25.11-darwin 1.4.3

pkgs.python312Packages.sigstore-rekor-types

Python models for Rekor's API types

nixos-unstable 0.0.18
- nixpkgs-unstable 0.0.18
- nixos-unstable-small 0.0.18
nixos-25.11 0.0.18
- nixpkgs-25.11-darwin 0.0.18

pkgs.python313Packages.sigstore-rekor-types

Python models for Rekor's API types

nixos-unstable 0.0.18
- nixpkgs-unstable 0.0.18
- nixos-unstable-small 0.0.18
nixos-25.11 0.0.18
- nixpkgs-25.11-darwin 0.0.18

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
@LeSuisse Thomas Gerbet <thomas@gerbet.me>

Permalink CVE-2026-23831

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): NONE
Availability impact (A): LOW

created 2 months, 3 weeks ago

Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.