x/vulndb: potential Go vuln in github.com/in-toto/in-toto-golang: GHSA-vrxp-mg9f-hwf3

[GoVulnBot]

In GitHub Security Advisory GHSA-vrxp-mg9f-hwf3, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/in-toto/in-toto-golang	0.3.0	<= 0.2.0

Cross references:

• CVE-2021-41087 appears in issue x/vulndb: potential Go vuln in github.com/in-toto/in-toto-golang: CVE-2021-41087, GHSA-vrxp-mg9f-hwf3 #936 NOT_IMPORTABLE
• GHSA-vrxp-mg9f-hwf3 appears in issue x/vulndb: potential Go vuln in github.com/in-toto/in-toto-golang: CVE-2021-41087, GHSA-vrxp-mg9f-hwf3 #936 NOT_IMPORTABLE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "0.3.0", vuln range "<= 0.2.0")
    packages:
      - package: github.com/in-toto/in-toto-golang
description: |
    ### Impact
    Authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo).

    ### Patches
    The problem has been fixed in version 0.3.0.

    ### Workarounds
    Exploiting this vulnerability is dependent on the specific policy applied.

    ### For more information
    If you have any questions or comments about this advisory:
    * Open an issue in [in-toto-golang](http://github.com/in-toto/in-toto-golang)
    * Email us at [in-toto-public](mailto:in-toto-public@googlegroups.com)
    * If this is a sensitive security-relevant disclosure, please send a PGP encrypted email to santiagotorres@purdue.edu or jcappos@nyu.edu
cves:
  - CVE-2021-41087
ghsas:
  - GHSA-vrxp-mg9f-hwf3

[tatianab]

Duplicate of #936