2 matches found
PYSEC-2023-63
in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...
CVE-2023-32076
Summary of CVE-2023-32076 (in-toto) : The vulnerability affects in-toto up to version 1.4.0, where the framework reads configuration from XDG directories and includes the hidden file .in_totorc. If an attacker controls inputs to a supply chain step, they can inject a crafted .in_totorc with exclu...