Vulnerability in operator-sdk project #7042
Description
While working on operator-sdk project, I identified a security vulnerability in the sigstore package related to its legacy TUF client implementation. The issue exists in the file caching mechanism used to store TUF target files on disk. The vulnerability occurs because the legacy TUF client constructs file paths by combining a cache base directory with a target name obtained from signed metadata without validating whether the final path stays within the intended cache directory.