During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
oryginał ENCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAmazon Tough
APPAmazon< 0.20.0
Powiązane podatności
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough befo...
Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with de...
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before toug...
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...