Safety vulnerability ID: 76385
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Versions of sigstore-python newer than 2.0.0 but before 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified if a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as the "v1" bundle format always requires an inclusion promise.
Latest version: 3.6.1
A tool for signing Python package distributions
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application