Skip to content
This repository was archived by the owner on Jun 1, 2026. It is now read-only.

security: CWE-494: Add integrity verification to venctl installer — VC-53735#141

Open
torresashjiancyber wants to merge 1 commit into
Venafi:mainfrom
torresashjiancyber:VC-53735-logos-fix-c
Open

security: CWE-494: Add integrity verification to venctl installer — VC-53735#141
torresashjiancyber wants to merge 1 commit into
Venafi:mainfrom
torresashjiancyber:VC-53735-logos-fix-c

Conversation

@torresashjiancyber

@torresashjiancyber torresashjiancyber commented May 29, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown

Summary

This PR remediates CWE-494 (Download of Code Without Integrity Check) by adding SHA256 checksum verification to all venctl installer downloads across the repository.

Finding

Vulnerability: CWE-494 - Download of Code Without Integrity Check
CVSS Score: 9.2 (Critical)
Impact: The installation instructions used curl | bash to download and execute the venctl CLI installer without checksum or signature verification. An attacker who can intercept the HTTPS connection or compromise the download server could substitute a malicious script.

Affected Files (8 Makefiles):

  • archives/main/Makefile
  • projects/awspca/Makefile
  • projects/cert-discovery/Makefile
  • projects/kong-mesh/Makefile
  • projects/ven01/Makefile
  • projects/ven02/Makefile
  • projects/ven03/Makefile
  • projects/ven04/Makefile

Remediation

Changed the install-venctl target in all affected Makefiles from:

install-venctl:
	@curl -sSfL https://dl.venafi.cloud/venctl/latest/installer.sh | bash

To a secure pattern that:

  1. Downloads the installer script to a temporary file
  2. Downloads the SHA256 checksum file
  3. Verifies the checksum before execution
  4. Executes the verified script
  5. Cleans up temporary files
install-venctl:
	@echo "Downloading venctl installer with integrity verification..."
	@installer=$$(mktemp --suffix=.sh) && \
	checksum=$$(mktemp) && \
	curl -sSfL https://dl.venafi.cloud/venctl/latest/installer.sh -o "$$installer" && \
	curl -sSfL https://dl.venafi.cloud/venctl/latest/installer.sh.sha256 -o "$$checksum" && \
	echo "$$(cat $$checksum)  $$installer" | sha256sum -c - && \
	bash "$$installer" && \
	rm -f "$$installer" "$$checksum"

Verification

  • Changes: 8 files modified, 64 insertions(+), 8 deletions(-)
  • Scope: All changes are isolated to the install-venctl target in Makefiles
  • Impact: The installation will now fail if checksums don't match, preventing execution of potentially compromised installers
  • Breaking Changes: None - the functionality remains the same for legitimate installers

Ticket: VC-53735

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@torresashjiancyber