Lucene search
K

9 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.8 views

CVE-2026-6966

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...

7CVSS5.5AI score0.00262EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/05 6:46 p.m.4 views

EUVD-2026-25628

awslabs/tough is Missing Delegated Metadata Validation...

7.1CVSS5.8AI score0.00246EPSS
Exploits0References7
NVD
NVD
added 2026/04/24 8:16 p.m.10 views

CVE-2026-6968

Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copytarget/linktarget, symlinked parent directories in savetarget, or symlinked...

7.1CVSS0.0052EPSS
Exploits0References6
CVE
CVE
added 2026/04/24 7:44 p.m.25 views

CVE-2026-6968

CVE-2026-6968 affects awslabs/tough prior to tough-v0.22.0 (and related tuftool). The vulnerability arises from incomplete path traversal fixes, where write operations join the destination path before containment verification, enabling remote authenticated users with delegated signing authority t...

7.1CVSS5.4AI score0.0052EPSS
Exploits0References6Affected Software2
CVE
CVE
added 2026/04/24 7:41 p.m.15 views

CVE-2026-6967

Affected software: awslabs/tough (before tough-v0.22.0) with delegated metadata validation. Root cause: missing expiration, hash, and length enforcement in delegated metadata validation causing load_delegations to bypass TUF integrity checks for delegated targets metadata. Impact: remote authenti...

7.1CVSS5.3AI score0.00246EPSS
Exploits0References6Affected Software2
Cvelist
Cvelist
added 2026/04/24 7:41 p.m.32 views

CVE-2026-6967 Missing Delegated Metadata Validation in awslabs/tough

Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cach...

7.1CVSS0.00246EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/04/24 7:38 p.m.5 views

CVE-2026-6966 Signature Threshold Bypass in awslabs/tough Delegated Roles

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...

7CVSS5.3AI score0.00262EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/04/24 7:38 p.m.34 views

CVE-2026-6966 Signature Threshold Bypass in awslabs/tough Delegated Roles

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...

7CVSS0.00262EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2025/03/29 10:44 p.m.35 views

CVE-2025-2887

During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched ...

5.7CVSS7.4AI score0.00307EPSS
Exploits0References4
Rows per page
Query Builder