3 matches found
Go-tuf Improperly handles multiple key IDs for the same public keys in attacker-controlled metadata
Issue If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then go-tuf clients 0.3.2 are susceptible to an attack where attackers can cause the same signature from the same publ...
GHSA-3633-5H82-39PQ Go-tuf Improperly handles multiple key IDs for the same public keys in attacker-controlled metadata
Issue If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then go-tuf clients 0.3.2 are susceptible to an attack where attackers can cause the same signature from the same publ...
Improper Validation of Integrity Check Value in go-tuf
Impact go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to install software that is older than the software whic...