AVID-2026-R1243

Description

malformed proposed intoto v0.0.2 entries can cause a panic in Rekor (CVE-2023-33199)

Details

Rekor’s goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the intoto/v0.0.2 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This has been fixed in v1.2.0 of Rekor. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Reason for inclusion in AVID: CVE-2023-33199 describes a vulnerability in Rekor (part of the Sigstore supply chain tooling) where malformed intoto/v0.0.2 entries can cause a panic. Rekor provides a tamper-evident ledger for software provenance and is used in software supply chain workflows, which include AI systems and models through artifact signing/verification and provenance logging. The issue affects the availability of the supply chain tooling, is a security vulnerability, and there is sufficient public evidence (CVE entry, advisory, and references) with a fixed version (v1.2.0). Therefore, it is relevant to the AI general-purpose software supply chain and should be kept for AVID curation.

References

• NVD entry
• https://github.com/sigstore/rekor/security/advisories/GHSA-frqx-jfcm-6jjr
• https://github.com/sigstore/rekor/commit/140c5add105179e5ffd9e3e114fd1b6b93aebbd4

Affected or Relevant Artifacts

• Developer: sigstore
• Deployer: sigstore
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2023-05-26
• Version: 0.3.3
• AVID Entry