Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-32076

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-10 May, 2023 | 17:58
Updated At-27 Jan, 2025 | 18:31
Rejected At-
Credits

in-toto vulnerable to Configuration Read From Local Directory

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:10 May, 2023 | 17:58
Updated At:27 Jan, 2025 | 18:31
Rejected At:
▼CVE Numbering Authority (CNA)
in-toto vulnerable to Configuration Read From Local Directory

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.

Affected Products
Vendor
in-toto
Product
in-toto
Versions
Affected
  • <= 1.4.0
Problem Types
TypeCWE IDDescription
CWECWE-15CWE-15: External Control of System or Configuration Setting
Type: CWE
CWE ID: CWE-15
Description: CWE-15: External Control of System or Configuration Setting
Metrics
VersionBase scoreBase severityVector
3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
x_refsource_CONFIRM
https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x
x_refsource_MISC
https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd
x_refsource_MISC
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
x_refsource_MISC
Hyperlink: https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x
Resource:
x_refsource_MISC
Hyperlink: https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd
Resource:
x_refsource_MISC
Hyperlink: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
x_refsource_CONFIRM
x_transferred
https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x
x_refsource_MISC
x_transferred
https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd
x_refsource_MISC
x_transferred
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd
Resource:
x_refsource_MISC
x_transferred
Hyperlink: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Resource:
x_refsource_MISC
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:10 May, 2023 | 18:15
Updated At:18 May, 2023 | 21:22

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is `.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that includes the necessary exclude patterns and settings. RC files are widely used in other systems and security issues have been discovered in their implementations as well. Maintainers found in their conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox functionary code as a security measure.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Secondary3.15.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Type: Primary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 5.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CPE Matches
in-toto_project
in-toto_project
>>in-toto>>Versions up to 1.4.0(inclusive)
cpe:2.3:a:in-toto_project:in-toto:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-610Primarynvd@nist.gov
CWE-15Secondarysecurity-advisories@github.com
CWE ID: CWE-610
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-15
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4xsecurity-advisories@github.com
Vendor Advisory
https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afdsecurity-advisories@github.com
Patch
https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pfsecurity-advisories@github.com
Vendor Advisory
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.htmlsecurity-advisories@github.com
Product
Hyperlink: https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://github.com/in-toto/in-toto/commit/3a21d84f40811b7d191fa7bd17265c1f99599afd
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Source: security-advisories@github.com
Resource:
Product

Change History

0
Information is not available yet

Similar CVEs

2Records found
CVE-2021-3707
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-5.5||MEDIUM
EPSS-6.93% / 91.03%
||
7 Day CHG~0.00%
Published-16 Aug, 2021 | 04:55
Updated-03 Aug, 2024 | 17:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

D-Link router DSL-2750U with firmware vME1.16 or prior versions is vulnerable to unauthorized configuration modification. An unauthenticated attacker on the local network may exploit this, with CVE-2021-3708, to execute any OS commands on the vulnerable device.

Action-Not Available
Vendor-D-Link Corporation
Product-dsl-2750u_firmwaredsl-2750uDSL-2750U
CWE ID-CWE-15
External Control of System or Configuration Setting
CVE-2019-15468
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.12% / 31.80%
||
7 Day CHG~0.00%
Published-14 Nov, 2019 | 16:27
Updated-05 Aug, 2024 | 00:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.

Action-Not Available
Vendor-n/aXiaomi
Product-a2_lite_firmwarea2_liten/a
CWE ID-CWE-610
Externally Controlled Reference to a Resource in Another Sphere
Details not found