4 matches found
CVE-2025-2885
Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure...
tough-kms (>=0.2.0 <=0.5.0), tough-ssm (>=0.5.0 <=0.8.0) +1 more potentially affected by CVE-2025-2885 via tough (>=0.10.0 <=0.1.0)
tough CARGO version =0.10.0, =0.2.0, =0.5.0, =0.1.0, =0.9.0 Source cves: CVE-2025-2885 Source advisory: OSV:GHSA-5VMP-M5V2-HX47...
CVE-2025-2885 Root metadata version not validated in tough
Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure...
CVE-2025-2885
CVE-2025-2885 affects the Tough root-metadata handling in the Amazon Tough (Rust) client library. The root metadata version number validation is missing, allowing an attacker to supply an arbitrary version instead of the intended one, which could cause the client to fetch a different or outdated ...