84 matches found
CVE-2024-47534
go-tuf is a Go implementation of The Update Framework TUF. The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly...
CVE-2024-47534 Incorrect delegation lookups can make go-tuf download the wrong artifact
go-tuf is a Go implementation of The Update Framework TUF. The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly...
go-tuf 竞争条件问题漏洞
go-tuf is an open source framework from The Update Framework for protecting software update systems. A competitive condition issue vulnerability exists in go-tuf that stems from inconsistent tracking of delegates...
CVE-2022-29173
go-tuf is a Go implementation of The Update Framework TUF. go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to...
Code injection
go-tuf is a Go implementation of The Update Framework TUF. go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to...
CVE-2022-29173
go-tuf is a Go implementation of The Update Framework TUF. go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to...
CVE-2022-29173 No protection against rollback attacks in go-tuf
go-tuf is a Go implementation of The Update Framework TUF. go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to...
CVE-2022-29173
go-tuf is a Go implementation of The Update Framework TUF. go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to...
CVE-2022-29173 No protection against rollback attacks in go-tuf
go-tuf is a Go implementation of The Update Framework TUF. go-tuf does not correctly implement the client workflow for updating the metadata files for roles other than the root role. Specifically, checks for rollback attacks are not implemented correctly meaning an attacker can cause clients to...
CVE-2022-29173
The CVE-2022-29173 issue affects go-tuf, a Go implementation of The Update Framework (TUF). The root cause is rollback-attack vulnerabilities in the client workflow for non-root roles: the client may ignore previously trusted metadata and may treat timestamp/snapshot files as trusted before valid...
FreeBSD : The Update Framwork -- path traversal vulnerability (85d976be-93e3-11ec-aaad-14dae9d5a9d2)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 85d976be-93e3-11ec-aaad-14dae9d5a9d2 advisory. - python-tuf is a Python reference implementation of The Update Framework TUF. In both clients tuf/clie...
CVE-2021-41150
Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...
Code injection
Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is...
CVE-2021-41150
CVE-2021-41150 affects the Tough Rust library (pre-0.12.0). The issue is improper sanitization of delegated role names when caching or loading a repository, allowing files ending with .json to be overwritten with role metadata anywhere on the system. This is caused by insufficient handling during...
CVE-2021-41131
python-tuf is a Python reference implementation of The Update Framework TUF. In both clients tuf/client and tuf/ngclient, there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to getonevalidtargetinfo. It occurs...
CVE-2021-41131
python-tuf is a Python reference implementation of The Update Framework TUF. In both clients tuf/client and tuf/ngclient, there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to getonevalidtargetinfo. It occurs...
Path traversal
python-tuf is a Python reference implementation of The Update Framework TUF. In both clients tuf/client and tuf/ngclient, there is a path traversal vulnerability that in the worst case can overwrite files ending in .json anywhere on the client system on a call to getonevalidtargetinfo. It occurs...
CVE-2021-41149
The CVE-2021-41149 issue concerns the tough Rust library (pre-0.12.0) where target names are not properly sanitized when caching a repository or saving targets to an output directory. This can allow files to be overwritten with arbitrary content anywhere on the system. A fix is available in versi...
CVE-2021-41149 Improper sanitization of target names in tough
Tough provides a set of Rust libraries and tools for using and generating the update framework TUF repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached o...
CVE-2021-41131
CVE-2021-41131 affects the Python reference implementation of The Update Framework (python-tuf), specifically the clients in the tuf/client and tuf/ngclient components. A path-traversal flaw allows an attacker to craft a rolename that, on calling get_one_valid_targetinfo(), can cause the overwrit...