Policy Controller
Approved changes feed: RSS · Atom
cpe:2.3:a:sigstore:policy_controller:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Sigstore (534c4401-0625-5be2-ae9b-f6c1539e71bc) |
|---|---|
| Product | Policy Controller (88ff31c1-666b-5ede-acc2-33a9922b6c16) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/sigstore/policy-controller |
purl2cpe | 2026-06-01 10:15:40.698788 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2022-35930 |
vulnerable | 2026-06-08 05:46:05.999016 |
Ability to bypass attestation verification in sigstore PolicyController
HIGH (7.1)
PolicyController is a utility used to enforce supply chain policy in Kubernetes clusters. In versions prior to 0.2.1 PolicyController will report a false positive, resulting in an admission when it should not be admitted when there is at least one attestation with a valid signature and there are NO attestations of the type being verified (--type defaults to "custom"). An example image that can be used to test this is `ghcr.io/distroless/static@sha256:dd7614b5a12bc4d617b223c588b4e0c833402b8f4991fb5702ea83afad1986e2`. Users should upgrade to version 0.2.1 to resolve this issue. There are no workarounds for users unable to upgrade.
Published: 2022-08-04T21:15:15.000Z
Updated: 2025-04-23T17:53:16.444Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.