CVE-2021-41087 — in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity · QSearch CVE Watch

Severity and scoring

CVSS: 5.6 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
CWE: CWE-22, CWE-345

Affected products

Vendor	Product
in-toto	in-toto-golang

Description

in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied. The problem has been fixed in version 0.3.0.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-48777 — FileBrowser Quantum is a free, self-hosted, web-based file manager
CVE-2026-53862 — OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with... (4.2 MEDIUM)
CVE-2026-53900 — Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a mali... (4.3 MEDIUM)
CVE-2026-53899 — Firefox for iOS used partial domain matching when attaching cookies to PDF requests, allowing a malicious site on a suffix domain to rece... (6.5 MEDIUM)
CVE-2026-8442 — The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8 (8.1 HIGH)