Fluid Attacks Database

Description

Improperly Implemented path matching for in-toto-golang

Impact

Authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo).

Patches

The problem has been fixed in version 0.3.0.

Workarounds

Exploiting this vulnerability is dependent on the specific policy applied.

For more information

If you have any questions or comments about this advisory:

Open an issue in in-toto-golang

Email us at in-toto-public

If this is a sensitive security-relevant disclosure, please send a PGP encrypted email to [email protected] or [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/in-toto/in-toto-golang	>=0 <0.3.0	0.3.0

Aliases

1. CVE-2021-410872. NVD-2021-410873. OSV-2021-410874. GHSA-vrxp-mg9f-hwf35. GCVE-2021-41087

References

1. https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-vrxp-mg9f-hwf32. https://github.com/in-toto/in-toto-golang/commit/f2c57d1e0f15e3ffbeac531829c696b72ecc4290

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.