x/vulndb: potential Go vuln in github.com/sigstore/sigstore-go: GHSA-cq38-jh5f-37mq

[GoVulnBot]

Advisory GHSA-cq38-jh5f-37mq references a vulnerability in the following Go modules:

Module
github.com/sigstore/sigstore-go

Description:

Impact

sigstore-go is susceptible to a denial of service attack when a verifier is provided a maliciously crafted Sigstore Bundle containing large amounts of verifiable data, in the form of signed transparency log entries, RFC 3161 timestamps, and attestation subjects. The verification of these data structures is computationally expensive. This can be used to consume excessive CPU resources, leading to a denial of service attack. TUF's security model labels this type of vulnerability an "Endless data attack," and can lead to verification failing to complete and disrupting services that re...

References:

• ADVISORY: GHSA-cq38-jh5f-37mq
• ADVISORY: GHSA-cq38-jh5f-37mq
• FIX: sigstore/sigstore-go@01e70e8

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/sigstore/sigstore-go
      non_go_versions:
        - introduced: TODO (earliest fixed "0.6.1", vuln range "<= 0.6.0")
      vulnerable_at: 0.6.1
summary: |-
    sigstore-go has an unbounded loop over untrusted input can lead to endless data
    attack in github.com/sigstore/sigstore-go
cves:
    - CVE-2024-45395
ghsas:
    - GHSA-cq38-jh5f-37mq
references:
    - advisory: https://github.com/advisories/GHSA-cq38-jh5f-37mq
    - advisory: https://github.com/sigstore/sigstore-go/security/advisories/GHSA-cq38-jh5f-37mq
    - fix: https://github.com/sigstore/sigstore-go/commit/01e70e89e58226286d7977b4dba43b6be472b12c
source:
    id: GHSA-cq38-jh5f-37mq
    created: 2024-09-04T21:01:34.936166322Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/610804 mentions this issue: data/reports: add 8 unreviewed reports