SCA: security update for in-toto (GHSA-wc64-c5rv-32pf)

medium Tenable Self-Hosted Container Security Plugin ID 421670

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various
directories and allows users to configure the behavior of the framework. The files are from directories
following the XDG base directory specification. In versions 1.4.0 and prior, among the files read is
`.in_totorc` which is a hidden file in the directory in which in-toto is run. If an attacker controls the
inputs to a supply chain step, they can mask their activities by also passing in an `.in_totorc` file that
includes the necessary exclude patterns and settings. RC files are widely used in other systems and
security issues have been discovered in their implementations as well. Maintainers found in their
conversations with in-toto adopters that `in_totorc` is not their preferred way to configure in-toto. As
none of the options supported in `in_totorc` is unique, and can be set elsewhere using API parameters or
CLI arguments, the maintainers decided to drop support for `in_totorc`. in-toto's `user_settings` module
has been dropped altogether in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users may also sandbox
functionary code as a security measure. (CVE-2023-32076)

See Also

https://github.com/advisories/GHSA-wc64-c5rv-32pf

Plugin Details

Severity: Medium

ID: 421670

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2023-32076

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/11/2023

Vulnerability Publication Date: 5/10/2023

Reference Information

CVE: CVE-2023-32076