Miggo Logo
Miggo Vulnerability Database
CVE-2022-35930

CVE-2022-35930: PolicyController before 0.2.1 may bypass attestation verification

7.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-35930
GHSA ID
GHSA-739f-hw6h-7wq8
EPSS Score
0.22948%
CWE
CWE-347
Published
8/10/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/sigstore/policy-controllergo< 0.2.10.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how attestation types were handled in ValidatePolicyAttestationsForAuthority. The original code:

  1. Skipped type checking when wantedAttestation.Type was empty
  2. When type was specified, it would still add all verifiedAttestations to the result set after policy evaluation
  3. Had no check for empty filtered attestations of the required type

The patch introduces:

  1. A 'checkedAttestations' list that only includes type-matching attestations
  2. An explicit error when no matching attestations are found
  3. Uses filtered list instead of all verifiedAttestations for the final result

This matches the vulnerability description of false positives occurring when valid signatures exist but required type attestations are missing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Poli*y*ontroll*r will r*port * **ls* positiv*, r*sultin* in *n **mission w**n it s*oul* not ** **mitt** w**n: * T**r* is *t l**st on* *tt*st*tion wit* * v*li* si*n*tur* * T**r* *r* NO *tt*st*tions o* t** typ* **in* v*ri*i** (--typ* ****ults to "*us

Reasoning

T** vuln*r**ility st*ms *rom *ow *tt*st*tion typ*s w*r* **n*l** in V*li**t*Poli*y*tt*st*tions*or*ut*ority. T** ori*in*l *o**: *. Skipp** typ* ****kin* w**n w*nt***tt*st*tion.Typ* w*s *mpty *. W**n typ* w*s sp**i*i**, it woul* still *** *ll v*ri*i***
CVE-2022-35930: PolicyController Attest Bypass | Miggo