CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/SC:N/VI:H/SI:N/VA:N/SA:N
AI Score
Confidence
High
During the ongoing work on the TUF conformance test suite, we have come across a test that reveals what we believe is a bug in go-tuf with security implications. The bug exists in go-tuf delegation tracing and could result in downloading the wrong artifact.
We have come across this issue in the test in this PR: https://github.com/theupdateframework/tuf-conformance/pull/115.
The test - test_graph_traversal
- sets up a repository with a series of delegations, invokes the clients refresh()
and then checks the order in which the client traced the delegations. The test shows that the go-tuf client inconsistently traces the delegations in a wrong way. For example, during one CI run, the two-level-delegations
test case triggered a wrong order. The delegations in this look as such:
"two-level-delegations": DelegationsTestCase(
delegations=[
DelegationTester("targets", "A"),
DelegationTester("targets", "B"),
DelegationTester("B", "C"),
],
visited_order=["A", "B", "C"],
),
Here, targets
delegate to "A"
, and to "B"
, and "B"
delegates to "C"
. The client should trace the delegations in the order "A"
then "B"
then "C"
but in this particular CI run, go-tuf traced the delegations "B"->"C"->"A"
.
In a subsequent CI run, this test case did not fail, but another one did.
@jku has done a bit of debugging and believes that the returned map of GetRolesForTarget
returns a map that causes this behavior:
We believe that this map should be an ordered list instead of a map.
Vendor | Product | Version | CPE |
---|---|---|---|
theupdateframework | go-tuf | * | cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-4f8r-qqr9-fq8j
github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580
github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819
github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j
github.com/theupdateframework/tuf-conformance/pull/115
nvd.nist.gov/vuln/detail/CVE-2024-47534
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/SC:N/VI:H/SI:N/VA:N/SA:N
AI Score
Confidence
High