CVE-2023-32076

Name of the Vulnerable Software and Affected Versions in-toto versions 1.4.0 and prior

Description The in-toto configuration is read from various directories, allowing users to configure the framework's behavior. Among the files read is .in totorc, a hidden file in the directory where in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by passing in an .in totorc file with necessary exclude patterns and settings. RC files are widely used in other systems, and security issues have been discovered in their implementations. Maintainers found that in totorc is not the preferred way to configure in-toto, and as the options supported in in totorc can be set elsewhere using API parameters or CLI arguments, they decided to drop support for in totorc.

Recommendations For versions 1.4.0 and prior, consider updating to a version where support for in totorc has been dropped, as the maintainers have removed the user settings module altogether. As a temporary workaround, consider disabling the use of .in totorc files until a patch is available. Sandbox functionary code as a security measure to minimize the risk of exploitation.