CVE-2022-36056 is a medium-severity vulnerability affecting versions of the sigstore cosign tool prior to 1.12.0. Cosign is a widely used open-source project under the sigstore organization designed to facilitate transparent and secure signing of software artifacts, making cryptographic signatures an invisible part of infrastructure. The vulnerability arises from improper verification of cryptographic signatures (CWE-347) in the 'cosign verify-blob' functionality. Specifically, the verification process incorrectly accepts artifacts as valid under several flawed conditions: (1) a crafted cosign bundle can verify a blob even if the embedded rekorBundle does not reference the given signature, effectively bypassing signature binding; (2) when identity flags are used, critical certificate attributes such as email and issuer are not validated against the Rekor transparency log, and GitHub Actions identities are never checked, allowing potential impersonation or misuse of identities; (3) providing an invalid Rekor bundle without the experimental flag still results in successful verification, undermining the integrity of the transparency log validation; and (4) an invalid transparency log entry leads to immediate verification success, negating the purpose of transparency logs in ensuring artifact provenance. These verification flaws could allow attackers to present malicious or tampered artifacts as legitimate, potentially enabling supply chain attacks or unauthorized code execution. The vulnerability has no known exploits in the wild, and no effective workarounds exist other than upgrading to cosign version 1.12.0 or later, where these issues have been addressed.

For European organizations, the impact of this vulnerability is significant given the increasing reliance on software supply chain security and the adoption of sigstore cosign in DevOps pipelines for artifact signing and verification. Successful exploitation could allow attackers to bypass signature verification, leading to the deployment of unauthorized or malicious software components within critical infrastructure, financial systems, healthcare applications, or government services. This undermines the integrity and trustworthiness of software delivery processes, potentially causing data breaches, service disruptions, or compliance violations under regulations such as GDPR and NIS Directive. The vulnerability affects the confidentiality, integrity, and availability of systems relying on cosign for artifact verification. Although exploitation requires crafting malicious bundles and targeting environments using vulnerable cosign versions, the widespread adoption of cosign in open-source and enterprise environments in Europe elevates the risk. The lack of user interaction or authentication requirements for verification processes further broadens the attack surface. Consequently, organizations could face reputational damage, operational downtime, and increased remediation costs if exploited.

The primary mitigation is to upgrade all instances of sigstore cosign to version 1.12.0 or later, where the signature verification logic has been corrected. Organizations should conduct an inventory of their CI/CD pipelines, artifact repositories, and build environments to identify and update any cosign versions below 1.12.0. Additionally, implement strict controls around artifact signing and verification processes, including restricting who can generate and submit Rekor transparency log entries and enforcing multi-factor authentication for signing keys. Integrate additional verification layers such as independent signature validation tools or cross-checks against trusted certificate authorities. Monitor transparency logs for anomalies or unexpected entries that could indicate exploitation attempts. Finally, establish incident response procedures tailored to supply chain compromise scenarios and conduct regular security audits of the software supply chain to detect and remediate potential weaknesses promptly.