Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improperly Implemented path matching for in-toto-golang
Vulnerability Description
in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied. The problem has been fixed in version 0.3.0.
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
Vulnerability Type
对数据真实性的验证不充分
Vulnerability Title
Intoto-Golang 路径遍历漏洞
Vulnerability Description
Intoto-Golang是一个保护软件供应链完整性的框架。 intoto-golang 存在路径遍历漏洞,经过身份验证的攻击者可以冒充工作人员(即,在布局的受信任用户集内)创建可能绕过同一布局中的 DISALLOW 规则的证明。
CVSS Information
N/A
Vulnerability Type
N/A