CVE Vulnerability

CVE-2021-41087

in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied. The problem has been fixed in version 0.3.0.

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/in-toto/in-toto-golang/commit/f2c57d1e0f15e3ffbeac531829c696b72ecc4290 Patch Third Party Advisory
https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-vrxp-mg9f-hwf3 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:in-toto:in-toto-golang:*:*:*:*:*:*:*:*
Information

Published : 2021-09-21 09:15

Updated : 2021-10-05 04:30

NVD link : CVE-2021-41087

Mitre link : CVE-2021-41087

Products Affected
No products.
CWE
CWE-22