CVE-2023-32076: 
Python vulnerability analysis and mitigation

The in-toto framework (versions 1.4.0 and prior) contains a vulnerability in its configuration system that allows attackers to manipulate supply chain integrity checks. The vulnerability (CVE-2023-32076) was disclosed on May 10, 2023, affecting the configuration reading mechanism from local directories, specifically through the .in_totorc hidden file (GitHub Advisory).

The vulnerability stems from in-toto's configuration system reading settings from various directories following the XDG base directory specification, including a .in_totorc hidden file in the directory where in-toto is executed. The issue has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-15 (External Control of System or Configuration Setting) (NVD).

An attacker who controls the inputs to a supply chain step can mask their malicious activities by including an .in_totorc file containing specific exclude patterns and settings. This allows them to potentially bypass supply chain integrity checks and manipulate the framework's behavior without detection (GitHub Advisory).

The maintainers have removed support for in_totorc by dropping the entire user_settings module in commit 3a21d84f40811b7d191fa7bd17265c1f99599afd. Users are advised to use API parameters or CLI arguments instead of rc files for configuration. Additionally, it is recommended to sandbox functionary code as a security measure (GitHub Advisory).

The in-toto maintainers noted through conversations with adopters that in_totorc was not their preferred configuration method. This feedback, combined with the security implications and the availability of alternative configuration methods, led to the decision to remove the feature entirely (GitHub Advisory).