GHSA-VRXP-MG9F-HWF3
Vulnerability from github – Published: 2021-09-22 20:37 – Updated: 2021-09-21 21:51
VLAI?
Summary
Improperly Implemented path matching for in-toto-golang
Details
Impact
Authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo).
Patches
The problem has been fixed in version 0.3.0.
Workarounds
Exploiting this vulnerability is dependent on the specific policy applied.
For more information
If you have any questions or comments about this advisory: * Open an issue in in-toto-golang * Email us at in-toto-public * If this is a sensitive security-relevant disclosure, please send a PGP encrypted email to santiagotorres@purdue.edu or jcappos@nyu.edu
Severity ?
5.6 (Medium)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.2.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/in-toto/in-toto-golang"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41087"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2021-09-21T21:51:18Z",
"nvd_published_at": "2021-09-21T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nAuthenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo).\n\n### Patches\nThe problem has been fixed in version 0.3.0.\n\n### Workarounds\nExploiting this vulnerability is dependent on the specific policy applied.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [in-toto-golang](http://github.com/in-toto/in-toto-golang)\n* Email us at [in-toto-public](mailto:in-toto-public@googlegroups.com)\n* If this is a sensitive security-relevant disclosure, please send a PGP encrypted email to santiagotorres@purdue.edu or jcappos@nyu.edu\n",
"id": "GHSA-vrxp-mg9f-hwf3",
"modified": "2021-09-21T21:51:18Z",
"published": "2021-09-22T20:37:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/in-toto/in-toto-golang/security/advisories/GHSA-vrxp-mg9f-hwf3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41087"
},
{
"type": "WEB",
"url": "https://github.com/in-toto/in-toto-golang/commit/f2c57d1e0f15e3ffbeac531829c696b72ecc4290"
},
{
"type": "PACKAGE",
"url": "https://github.com/in-toto/in-toto-golang"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improperly Implemented path matching for in-toto-golang"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…