CVE-2021-41087 MEDIUM

CVE-2021-41087: Improperly Implemented path matching for in-toto-golang

Vendor In-Toto
Product in-toto-golang
Weakness CWE-345
Published September 21, 2021
Last update August 4, 2024

CVSS base score

5.6/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied. The problem has been fixed in version 0.3.0.

Key dates

02Disclosure timeline

September 21, 2021 CVE published
August 4, 2024 Record updated