CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
15.5%
The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification [1]. Among the files read is .in_totorc
which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an .in_totorc
file that includes the necessary exclude patterns and settings.
RC files are widely used in other systems [2] and security issues have been discovered in their implementations as well [3]. We found in our conversations with in-toto adopters that in_totorc
is not their preferred way to configure in-toto. As none of the options supported in in_totorc
is unique, and can be set elsewhere using API parameters or CLI arguments, we decided to drop support for in_totorc
.
Sandbox functionary code as recommended in https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x.
[1] https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
[2] https://spec.editorconfig.org/
[3] https://github.blog/2022-04-12-git-security-vulnerability-announced/
Vendor | Product | Version | CPE |
---|---|---|---|
in-toto_project | in-toto | * | cpe:2.3:a:in-toto_project:in-toto:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-wc64-c5rv-32pf
github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x
github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd
github.com/in-toto/in-toto/releases/tag/v2.0.0
github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
github.com/pypa/advisory-database/tree/main/vulns/in-toto/PYSEC-2023-63.yaml
nvd.nist.gov/vuln/detail/CVE-2023-32076
specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html