Gittuf Policy Rollback Vulnerability

A vulnerability in Gittuf prior to version 0.14.0 allows an attacker with push access to the Reference State Log (RSL) to roll back the current policy to any previous version trusted by the existing root keys. Gittuf determines which policy to load by checking the RSL. Except for the initial policy, which is automatically trusted, Gittuf verifies that new policies are endorsed by the required threshold of root keys from the current policy. An attacker can exploit this by creating an RSL entry that references an older, trusted policy, effectively reverting Gittuf's policy to a state of their choosing.

Impact

Exploitation of this vulnerability allows for unauthorized policy rollbacks, which could disrupt the intended policy management and security model of Gittuf.

Remediation

Users are advised to upgrade Gittuf to version 0.14.0 or later. After upgrading, a root of trust user or policy administrator must run 'gittuf trust increment-version' or 'gittuf policy increment-version' to update the policy metadata. Additionally, repositories should be checked for any RSL entries that indicate a rollback attack was attempted.