Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability exists because gittuf loads its active policy by reading the Reference State Log (RSL). The first policy is trusted via TOFU or manually specified keys. For every subsequent RSL entry pointing to a new policy, gittuf verifies that the new policy’s root metadata is signed by a threshold of the current policy’s root keys. An attacker with push access to the RSL can create a malicious RSL entry that references an old policy – as long as that old policy is still trusted by the most recent policy’s root key set. This rolls back the policy to an attacker‑chosen previous state. The attacker cannot roll back to a policy that would no longer be trusted by the current root keys (e.g., if root keys changed from Alice+Bob to Alice+Carol, the attacker cannot revert to the Alice+Bob policy). The attack requires push access to the RSL, which on forges like GitHub or GitLab is typically limited to maintainers or the forge itself. The fix introduces a monotonically increasing number in all policy metadata files (root, primary, delegated). This number increments by exactly one whenever a v0.14.0+ client updates the policy. During verification, gittuf checks that the monotonically increasing number of any new policy file is exactly one greater than the current one. The remediation includes upgrading to v0.14.0+ and running `gittuf trust increment-version` or gittuf policy increment-version. The attack leaves evidence in the RSL, which can be audited with gittuf rsl log --ref refs/gittuf/policy.
dailycve form:
Platform: gittuf
Version: before v0.14.0
Vulnerability: Policy rollback
Severity: Medium
date: 2025-03-01
Prediction: Already patched
What Undercode Say:
Check for rollback attack evidence gittuf rsl log --ref refs/gittuf/policy Add monotonic version field (patch step) gittuf trust increment-version or gittuf policy increment-version Verify policy after upgrade gittuf policy verify
how Exploit:
Attacker with push access adds an RSL entry pointing to an old policy that is still trusted by the current root keys. Example: `git push` a crafted RSL entry referencing previous policy blob. No code execution required – only RSL manipulation.
Protection from this CVE
Upgrade to gittuf v0.14.0 or later. Run `gittuf trust increment-version` (or gittuf policy increment-version) to add monotonic version numbers. Restrict push access to RSL (branch refs/gittuf/rsl). Regularly audit RSL log for unexpected older policy entries.
Impact
Unauthorized policy rollback to any previous state still trusted by current root keys. This can re‑enable old, weaker root keys, revive revoked delegations, or restore policies with known flaws. Attack requires push access (maintainer or forge compromise). Leaves detectable RSL entries.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
