CVE-2021-41087

Name of the Vulnerable Software and Affected Versions in-toto-golang versions prior to 0.3.0

Description The issue allows authenticated attackers posing as functionaries to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys may issue an attestation that contains a disallowed artifact by including path traversal semantics, such as dir/../foo. Exploiting this issue is dependent on the specific policy applied.

Recommendations For versions prior to 0.3.0, update to version 0.3.0 to resolve the issue. As a temporary workaround, consider restricting access to trusted private keys and reviewing the specific policy applied to minimize the risk of exploitation.