Pxp928

**Name of the Vulnerable Software and Affected Versions** in-toto-golang versions prior to 0.3.0 **Description** The issue allows authenticated attackers posing as functionaries to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys may issue an attestation that contains a disallowed artifact by including path traversal semantics, such as `dir/../foo`. Exploiting this issue is dependent on the specific policy applied. **Recommendations** For versions prior to 0.3.0, update to version 0.3.0 to resolve the issue. As a temporary workaround, consider restricting access to trusted private keys and reviewing the specific policy applied to minimize the risk of exploitation.