During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
oryginał ENCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XAmazon Tough
APPAmazon< 0.20.0
Powiązane podatności
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough befo...
Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with de...
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before toug...
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...