MEDIUM🇵🇱 Wersja polska

CVE-2025-2888

CVSS 5.7v4.0pub. 2025-03-27upd. 2025-10-14

During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Amazon Tough

    APP
    Amazon
    < 0.20.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-6966HIGH7.0ten sam produkt

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough befo...

CVE-2026-6968HIGH7.1ten sam produkt

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with de...

CVE-2026-6967HIGH7.1ten sam produkt

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before toug...

CVE-2021-41149HIGH8.2ten sam produkt

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...

CVE-2021-41150HIGH8.2ten sam produkt

Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositor...