<Vulnerability name="CVE-2026-48816">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-01T19:58:28</PublicDate>
    <Bugzilla id="2499688" url="https://bugzilla.redhat.com/show_bug.cgi?id=2499688" xml:lang="en:us">
sigstore-js: github.com/sigstore/sigstore-js: sigstore-js: Insufficient verification of data authenticity allows timestamp manipulation
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-345</CWE>
    <Details xml:lang="en:us" source="Mitre">
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 3.1.1, @sigstore/verify derives a transparency-log timestamp from tlogEntries[].integratedTime for bundle v0.2 inclusionProof-only entries even though the inclusion proof path does not cryptographically bind integratedTime, allowing an attacker who can supply an untrusted bundle to influence certificate validity and timestampThreshold verification decisions. This issue is fixed in version 3.1.1.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in sigstore-js. The software derives a transparency-log timestamp from tlogEntries[].integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a transparency log (tlog) entry can be inclusion-proof-only, meaning the inclusion proof path does not cryptographically bind the integratedTime. This allows an attacker who can supply an untrusted bundle to influence time-based verification decisions by choosing an arbitrary integratedTime. This could lead to incorrect validation of certificate validity.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in sigstore-js. The tlog integratedTime field is not cryptographically bound in inclusionProof-only bundle v0.2 entries, allowing an attacker who supplies an untrusted bundle to influence time-based verification decisions.
    </Statement>
    <Mitigation xml:lang="en:us">
Upgrade to the latest sigstore-js (&gt;= 3.1.1) release that addresses GHSA-xgjw-pm74-86q4.
    </Mitigation>
    <PackageState impact="moderate" cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:ansible_portal:2">
        <ProductName>Self-service automation portal 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-48816
https://nvd.nist.gov/vuln/detail/CVE-2026-48816
https://github.com/sigstore/sigstore-js/security/advisories/GHSA-xgjw-pm74-86q4
    </References>
</Vulnerability>