CVE-2021-41087: 
vulnerability analysis and mitigation

CVE-2021-41087 affects in-toto-golang, a Go implementation of the in-toto framework designed to protect software supply chain integrity. The vulnerability was discovered and disclosed on September 21, 2021, affecting versions <=0.2.0 of the package (GitHub Advisory).

The vulnerability stems from improperly implemented path matching functionality in the in-toto-golang package. The issue allows path traversal semantics to bypass DISALLOW rules in layouts, affecting how the package handles wildcards and relative paths. The vulnerability has been assigned a Moderate severity rating and is categorized under CWE-358 (GitHub Advisory).

Authenticated attackers with access to trusted private keys who can pose as functionaries can create attestations that bypass DISALLOW rules in layouts. This can be achieved by including path traversal semantics in artifact paths (e.g., foo vs dir/../foo) (GitHub Advisory).

The vulnerability has been patched in version 0.3.0 of in-toto-golang. Users should upgrade to this version or later to address the issue. The effectiveness of potential workarounds depends on the specific policy being applied (GitHub Advisory).