in-toto

In my testing and contributing to the in-toto project, I determined that based on the location of the file (i.e file path) that was provided in a layout file, a user could bypass the checks being verified by in-toto. This would allow “DISALLOWED” objects to pass through the verification step within in-toto. This resulted in further investigation and report to the maintainers of the in-toto project. Being a serious issue, a CVE was created to address the community. See below for more details about the vulnerability. Rest assured, this has been patched!

Impact

in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied.

Patches

The problem has been fixed in version 0.3.0.

Workarounds

Exploiting this vulnerability is dependent on the specific policy applied.

Further CVE documentation