Improperly Implemented path matching for in-toto-golang
Moderate severity
GitHub Reviewed
Published
Sep 21, 2021
in
in-toto/in-toto-golang
•
Updated Feb 1, 2023
Package
Affected versions
<= 0.2.0
Patched versions
0.3.0
Description
Published by the National Vulnerability Database
Sep 21, 2021
Reviewed
Sep 21, 2021
Published to the GitHub Advisory Database
Sep 22, 2021
Last updated
Feb 1, 2023
Impact
Authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo).
Patches
The problem has been fixed in version 0.3.0.
Workarounds
Exploiting this vulnerability is dependent on the specific policy applied.
For more information
If you have any questions or comments about this advisory:
References