CVE-2026-31830
HIGHsigstore-ruby < 0.2.3 - Verification Bypass via Unchecked Return Value
Title source: llmDescription
sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed in 0.2.3.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c
Scores
CVSS v3
7.5
EPSS
0.0022
EPSS Percentile
12.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-252
Status
published
Products (2)
rubygems/sigstore
0 - 0.2.3RubyGems
sigstore/sigstore
< 0.2.3
Published
Mar 10, 2026
Tracked Since
Mar 11, 2026