Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12cnhwLW1nOWYtaHdmM80V7g
Improperly Implemented path matching for in-toto-golang
Impact
Authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo).
Patches
The problem has been fixed in version 0.3.0.
Workarounds
Exploiting this vulnerability is dependent on the specific policy applied.
For more information
If you have any questions or comments about this advisory:
- Open an issue in in-toto-golang
- Email us at in-toto-public
- If this is a sensitive security-relevant disclosure, please send a PGP encrypted email to [email protected] or [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12cnhwLW1nOWYtaHdmM80V7g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 5.6
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Identifiers: GHSA-vrxp-mg9f-hwf3, CVE-2021-41087
References:
- https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-vrxp-mg9f-hwf3
- https://nvd.nist.gov/vuln/detail/CVE-2021-41087
- https://github.com/in-toto/in-toto-golang/commit/f2c57d1e0f15e3ffbeac531829c696b72ecc4290
- https://github.com/advisories/GHSA-vrxp-mg9f-hwf3
Blast Radius: 16.6
Affected Packages
go:github.com/in-toto/in-toto-golang
Dependent packages: 433Dependent repositories: 906
Downloads:
Affected Version Ranges: <= 0.2.0
Fixed in: 0.3.0
All affected versions: 0.1.0, 0.2.0
All unaffected versions: 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0