Skip to content

Fix CVE-2026-24137 (AST-132239)#34

Closed
cx-adar-zandberg wants to merge 4 commits intomainfrom
adar/fix-CVE-2026-24137
Closed

Fix CVE-2026-24137 (AST-132239)#34
cx-adar-zandberg wants to merge 4 commits intomainfrom
adar/fix-CVE-2026-24137

Conversation

@cx-adar-zandberg
Copy link
Contributor

@cx-adar-zandberg cx-adar-zandberg commented Jan 28, 2026

Summary

Mitigate CVE-2026-24137 affecting github.com/sigstore/sigstore through transitive dependency chain:

github.com/sylabs/sif/v2@v2.21.1 -> github.com/sigstore/sigstore@v1.8.15

Fix

The vulnerability is fixed in sigstore v1.10.4. This PR adds a replace directive to force the patched version without requiring a Go 1.25 upgrade.

References

Pull Request opened by Augment Code with guidance from the PR author

@cx-adar-zandberg
Fix CVE-2026-24137 by upgrading sigstore to v1.10.4
77ea812 
Mitigate CVE-2026-24137 affecting github.com/sigstore/sigstore through
transitive dependency chain:
  github.com/sylabs/sif/v2@v2.21.1 -> github.com/sigstore/sigstore@v1.8.15

The vulnerability is fixed in sigstore v1.10.4. Using a replace directive
to force the patched version without requiring Go 1.25 upgrade.
@cx-shaked-karta
Copy link
Contributor

cx-shaked-karta commented Jan 28, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsa9bf8911-f850-4df4-b134-4dc01279519a

Great job! No new security vulnerabilities introduced in this pull request

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@cx-adar-zandberg cx-adar-zandberg changed the title Fix CVE-2026-24137 (AST-0000) Fix CVE-2026-24137 (AST-132239) Jan 28, 2026
cx-david-kesoshvili
cx-david-kesoshvili approved these changes Jan 29, 2026
View reviewed changes
Copy link
Contributor

@cx-david-kesoshvili cx-david-kesoshvili left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by automated security vulnerability remediation process.

@cx-adar-zandberg
fix: update dependencies to address SCA vulnerabilities
cb13391 
Fixed CVEs:
- CVE-2026-24137: sigstore updated to v1.10.4
- CVE-2025-64329, CVE-2024-25621: containerd/v2 updated to v2.1.5
- CVE-2025-31133, CVE-2025-52881, CVE-2025-52565: runc updated to v1.3.3
- CVE-2025-46569: OPA updated to v1.4.0
- CVE-2025-22868: lestrrat-go/jwx updated to v1.2.31

Not a vulnerability:
- CVE-2019-25210: Helm project officially rejected this CVE

Known unfixable (require major version upgrades):
- CVE-2025-11579: rardecode v1 has no fix, requires v2
- CVE-2025-27144: go-jose.v2 has no fix, requires v4
@cx-adar-zandberg
Copy link
Contributor Author

cx-adar-zandberg commented Feb 16, 2026

vulnerability is already fixed - wrongly detected by cxSCA - should be fixed this Q

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-david-kesoshvili cx-david-kesoshvili cx-david-kesoshvili approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cx-adar-zandberg @cx-shaked-karta @cx-david-kesoshvili