Skip to content

Fix CVE-2026-24137 (AST-132239) #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cx-adar-zandberg wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix CVE-2026-24137 (AST-132239) #34

cx-adar-zandberg wants to merge 4 commits into from

Conversation

@cx-adar-zandberg
Copy link
Contributor

@cx-adar-zandberg cx-adar-zandberg commented Jan 28, 2026

Summary

Mitigate CVE-2026-24137 affecting github.com/sigstore/sigstore through transitive dependency chain:

github.com/sylabs/sif/v2@v2.21.1 -> github.com/sigstore/sigstore@v1.8.15

Fix

The vulnerability is fixed in sigstore v1.10.4. This PR adds a replace directive to force the patched version without requiring a Go 1.25 upgrade.

References

Pull Request opened by Augment Code with guidance from the PR author

@cx-adar-zandberg
Fix CVE-2026-24137 by upgrading sigstore to v1.10.4
77ea812 
Mitigate CVE-2026-24137 affecting github.com/sigstore/sigstore through
transitive dependency chain:
  github.com/sylabs/sif/v2@v2.21.1 -> github.com/sigstore/sigstore@v1.8.15

The vulnerability is fixed in sigstore v1.10.4. Using a replace directive
to force the patched version without requiring Go 1.25 upgrade.
@cx-shaked-karta
Copy link
Contributor

cx-shaked-karta commented Jan 28, 2026
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailsa9bf8911-f850-4df4-b134-4dc01279519a

Great job! No new security vulnerabilities introduced in this pull request

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@cx-adar-zandberg cx-adar-zandberg changed the title Fix CVE-2026-24137 (AST-0000) Fix CVE-2026-24137 (AST-132239) Jan 28, 2026
cx-david-kesoshvili
cx-david-kesoshvili approved these changes Jan 29, 2026
View reviewed changes
Copy link
Contributor

@cx-david-kesoshvili cx-david-kesoshvili left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved by automated security vulnerability remediation process.

@cx-adar-zandberg
fix: update dependencies to address SCA vulnerabilities
cb13391 
Fixed CVEs:
- CVE-2026-24137: sigstore updated to v1.10.4
- CVE-2025-64329, CVE-2024-25621: containerd/v2 updated to v2.1.5
- CVE-2025-31133, CVE-2025-52881, CVE-2025-52565: runc updated to v1.3.3
- CVE-2025-46569: OPA updated to v1.4.0
- CVE-2025-22868: lestrrat-go/jwx updated to v1.2.31

Not a vulnerability:
- CVE-2019-25210: Helm project officially rejected this CVE

Known unfixable (require major version upgrades):
- CVE-2025-11579: rardecode v1 has no fix, requires v2
- CVE-2025-27144: go-jose.v2 has no fix, requires v4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-david-kesoshvili cx-david-kesoshvili cx-david-kesoshvili approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cx-adar-zandberg @cx-shaked-karta @cx-david-kesoshvili