Improperly Implemented path matching for in-toto-golang

Impact

Authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo).

Patches

The problem has been fixed in version 0.3.0.

Workarounds

Exploiting this vulnerability is dependent on the specific policy applied.

For more information

If you have any questions or comments about this advisory:

Open an issue in in-toto-golang
Email us at in-toto-public
If this is a sensitive security-relevant disclosure, please send a PGP encrypted email to santiagotorres@purdue.edu or jcappos@nyu.edu

References

adityasaky published to in-toto/in-toto-golang Sep 21, 2021

Published by the National Vulnerability Database Sep 21, 2021

Reviewed Sep 21, 2021

Published to the GitHub Advisory Database Sep 22, 2021

Last updated Feb 1, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

For more information

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits