malformed proposed intoto entries can cause a panic
Package
Affected versions
< 1.2.0
Patched versions
1.2.0
Description
Published to the GitHub Advisory Database
May 26, 2023
Reviewed
May 26, 2023
Published by the National Vulnerability Database
May 26, 2023
Last updated
Nov 4, 2023
Impact
A malformed proposed entry of the
intoto/v0.0.2
type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal.Patches
This is fixed in v1.2.0 of Rekor.
Workarounds
No
References
Discovered by OSS-Fuzz
References