CVE-2026-24408

{"id": "CVE-2026-24408", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 1.6}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.6}]}, "published": "2026-01-26T23:16:08.973", "references": [{"url": "https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique \"state\" and sends it as a parameter in the authentication request but the \"state\" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue."}, {"lang": "es", "value": "sigstore-python es una herramienta de Python para generar y verificar firmas de Sigstore. Antes de la versi\u00f3n 4.2.0, el flujo de autenticaci\u00f3n OAuth de sigstore-python es susceptible a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. `_OAuthSession` crea un 'estado' \u00fanico y lo env\u00eda como par\u00e1metro en la petici\u00f3n de autenticaci\u00f3n, pero el 'estado' en la respuesta del servidor parece no ser verificado con este valor. La versi\u00f3n 4.2.0 contiene un parche para el problema."}], "lastModified": "2026-03-02T21:19:25.777", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:sigstore-python:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DA3586E-04FD-4D7E-85C8-BAE152F3C9D8", "versionEndExcluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}