CVE-2026-22772 (CNNVD-202601-1808)
中文标题:
Fulcio 代码问题漏洞
英文标题:
Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC)
漏洞描述
中文描述:
Fulcio是sigstore开源的一个证书颁发机构。 Fulcio 1.8.5之前版本存在代码问题漏洞,该漏洞源于MetaIssuer URL验证使用未锚定的正则表达式,可能导致绕过验证并触发针对任意内部服务的盲SSRF攻击。
英文描述:
Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| sigstore | fulcio | < 1.8.5 | - | - |
cpe:2.3:a:sigstore:fulcio:<_1.8.5:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| NVD | nvd_CVE-2026-22772 |
2026-01-13 03:00:04 | 2026-01-13 06:36:23 |
| CVE | cve_CVE-2026-22772 |
2026-01-13 07:35:06 | 2026-01-13 07:40:57 |
| CNNVD | cnnvd_CNNVD-202601-1808 |
2026-01-15 01:52:30 | 2026-01-15 01:53:10 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 代码问题
- cnnvd_id: 未提取 -> CNNVD-202601-1808
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 0 -> 1
- data_sources: ['nvd'] -> ['cve', 'nvd']