9 matches found
CVE-2026-6966
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...
EUVD-2026-25628
awslabs/tough is Missing Delegated Metadata Validation...
CVE-2026-6968
Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copytarget/linktarget, symlinked parent directories in savetarget, or symlinked...
CVE-2026-6968
CVE-2026-6968 affects awslabs/tough prior to tough-v0.22.0 (and related tuftool). The vulnerability arises from incomplete path traversal fixes, where write operations join the destination path before containment verification, enabling remote authenticated users with delegated signing authority t...
CVE-2026-6967
Affected software: awslabs/tough (before tough-v0.22.0) with delegated metadata validation. Root cause: missing expiration, hash, and length enforcement in delegated metadata validation causing load_delegations to bypass TUF integrity checks for delegated targets metadata. Impact: remote authenti...
CVE-2026-6967 Missing Delegated Metadata Validation in awslabs/tough
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cach...
CVE-2026-6966 Signature Threshold Bypass in awslabs/tough Delegated Roles
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...
CVE-2026-6966 Signature Threshold Bypass in awslabs/tough Delegated Roles
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...
CVE-2025-2887
During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched ...