Product Research Enterprise Plans Docs

PyPi: In-Toto

CVE-2020-36242

Transitive

Safety vulnerability ID: 41832

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 07, 2021 Updated at May 14, 2024

Scan your Python projects for vulnerabilities →

Advisory

In-toto version 1.0.1 updates its dependency "cryptography" to include a security fix.

Affected package

in-toto

Latest version: 3.0.0

A framework to define and secure the integrity of software supply chains

Affected versions

Fixed versions

Vulnerability changelog

Added
* Added tests that use source and destination prefixes in match rules, courtesy of
Brandon Michael Hunter (456)

Changed
* Updated documentation of command alignment during verification workflow (455)
* Started using GitHub-native dependabot (450)
* Bump dependencies: attrs (451), six (452), securesystemslib (453),
cffi (457), python-dateutil (458), iso8601 (459), pathspec (460)
* Fixed linter warnings (462)

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36242

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

CRITICAL 9.1

CVSS v3 Details

CRITICAL 9.1

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): HIGH
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 6.4

Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (Au): NONE
Confidentiality Impact (C): PARTIAL
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL