MEDIUM🇬🇧 English

CVE-2025-2885

CVSS 5.7v4.0pub. 2025-03-27upd. 2025-10-14

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Amazon Tough

    APP
    Amazon
    < 0.20.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-6966HIGH7.0ten sam produkt

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough befo...

CVE-2026-6968HIGH7.1ten sam produkt

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with de...

CVE-2026-6967HIGH7.1ten sam produkt

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before toug...

CVE-2021-41149HIGH8.2ten sam produkt

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...

CVE-2021-41150HIGH8.2ten sam produkt

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...