Lucene search
K

31 matches found

OSV
OSV
added 2026/05/05 6:46 p.m.5 views

GHSA-4V58-8P28-2RQ3 awslabs/tough is Missing Delegated Metadata Validation

Summary Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local...

7.1CVSS5.9AI score0.00246EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/05/05 6:46 p.m.8 views

awslabs/tough Delegated Roles have a Signature Threshold Bypass

Summary Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegate...

7CVSS5.8AI score0.00262EPSS
Exploits0References8Affected Software2
EUVD
EUVD
added 2026/04/24 7:44 p.m.6 views

EUVD-2026-25629

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copytarget/linktarget, symlinked parent directories in savetarget, or symlinked...

7.1CVSS5.4AI score0.0052EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/04/24 7:41 p.m.3 views

CVE-2026-6967 Missing Delegated Metadata Validation in awslabs/tough

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cach...

7.1CVSS5.3AI score0.00246EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/04/24 7:38 p.m.4 views

CVE-2026-6966

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...

7CVSS5.3AI score0.00262EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/07 12:30 a.m.2 views

EUVD-2021-1579

Malware in sbrugna...

8.6CVSS8.5AI score0.01357EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2025/05/22 9:21 p.m.9 views

CVE-2021-41149

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached o...

8.5CVSS6.9AI score0.01077EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/22 9:21 p.m.5 views

CVE-2021-41150

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...

8.2CVSS6.7AI score0.0124EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/02/05 2:52 p.m.6 views

CVE-2020-15093

The tough library Rust/crates.io prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A...

9.8CVSS6.5AI score0.01357EPSS
Exploits0
OSV
OSV
added 2021/10/19 8:16 p.m.21 views

GHSA-R56Q-VV3C-6G9C Improper sanitization of delegated role names

Impact The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere o...

8.2CVSS7.2AI score0.0124EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2021/10/19 8:16 p.m.66 views

Improper sanitization of delegated role names

Impact The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere o...

8.2CVSS7.2AI score0.0124EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2021/10/19 8:15 p.m.17 views

CVE-2021-41150

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...

6.5CVSS8.5AI score
Exploits0References3
NVD
NVD
added 2021/10/19 8:15 p.m.16 views

CVE-2021-41150

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...

8.2CVSS0.0124EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2021/10/19 8:15 p.m.4 views

CVE-2021-41150

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...

8.2CVSS6.6AI score0.0124EPSS
Exploits0References4Affected Software1
Prion
Prion
added 2021/10/19 8:15 p.m.14 views

Code injection

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...

3.5CVSS6.4AI score0.0124EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2021/10/19 7:55 p.m.19 views

CVE-2021-41150 Improper sanitization of delegated role names in tough

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...

8.2CVSS8.3AI score0.0124EPSS
Exploits0References3
CVE
CVE
added 2021/10/19 7:55 p.m.89 views

CVE-2021-41150

CVE-2021-41150 affects the Tough Rust library (pre-0.12.0). The issue is improper sanitization of delegated role names when caching or loading a repository, allowing files ending with .json to be overwritten with role metadata anywhere on the system. This is caused by insufficient handling during...

8.2CVSS7.3AI score0.0124EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2021/10/19 6:15 p.m.11 views

CVE-2021-41149

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached o...

8.1CVSS8.1AI score
Exploits0References2
NVD
NVD
added 2021/10/19 6:15 p.m.10 views

CVE-2021-41149

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached o...

8.5CVSS0.01077EPSS
Exploits0References2
Cvelist
Cvelist
added 2021/10/19 6:0 p.m.18 views

CVE-2021-41149 Improper sanitization of target names in tough

Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached o...

8.2CVSS8.3AI score0.01077EPSS
Exploits0References2
Rows per page
Query Builder