Name of the Vulnerable Software and Affected Versions in-toto (affected versions not specified)

Description The issue concerns how in-toto uses PGP keys, specifically with regards to the validation of key creation time, consideration of key revocation, and checking of key usage flags. An attacker could potentially manipulate the system time or use revoked keys to bypass security measures. It is estimated that a large number of devices may be affected, although the exact number is not specified. There is no information available about real-world incidents where this issue was exploited.

Technical details about exploitation include:

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider verifying PGP key properties when exporting a public key from GnuPG, and clarify usage documentation that no verification against the PGP trust model is performed afterwards. Restrict access to the vulnerable PGP key functionality to minimize the risk of exploitation. Avoid using the PGP Key Creation Time, PGP Key Revocation Signatures, and PGP Key Usage Flags variables in the affected in-toto functionality until the issue is resolved.