MEDIUM🇵🇱 Wersja polska

CVE-2025-2887

CVSS 5.7v4.0pub. 2025-03-27upd. 2025-10-14

During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Amazon Tough

    APP
    Amazon
    < 0.20.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-6966HIGH7.0ten sam produkt

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough befo...

CVE-2026-6968HIGH7.1ten sam produkt

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with de...

CVE-2026-6967HIGH7.1ten sam produkt

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before toug...

CVE-2021-41149HIGH8.2ten sam produkt

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...

CVE-2021-41150HIGH8.2ten sam produkt

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...