CVE-2023-32076 – in-toto

Package

Manager: pip
Name: in-toto
Vulnerable Version: >=0 <2.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00044 pctl0.12546

Details

in-toto vulnerable to Configuration Read From Local Directory ### Impact The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification [1]. Among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems [2] and security issues have been discovered in their implementations as well [3]. We found in our conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, we decided to drop support for `in_totorc`. ### Other Recommendations Sandbox functionary code as recommended in https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x. ### References [1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html [2] https://spec.editorconfig.org/ [3] https://github.blog/2022-04-12-git-security-vulnerability-announced/

Metadata

Created: 2023-05-11T20:47:56Z
Modified: 2023-05-11T20:47:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-wc64-c5rv-32pf/GHSA-wc64-c5rv-32pf.json
CWE IDs: ["CWE-15", "CWE-610"]
Alternative ID: GHSA-wc64-c5rv-32pf
Finding: F063
Auto approve: 1