10 matches found
CVE-2021-41150
CVE-2021-41150 affects the Tough Rust library (pre-0.12.0). The issue is improper sanitization of delegated role names when caching or loading a repository, allowing files ending with .json to be overwritten with role metadata anywhere on the system. This is caused by insufficient handling during...
CVE-2020-15093
The CVE-2020-15093 entry concerns the tough library (Rust/crates.io) prior to version 0.7.1, where the threshold of cryptographic signatures is not properly verified. This allows an attacker to duplicate a valid signature to bypass TUF’s minimum threshold of unique signatures before metadata is c...
CVE-2025-2886
CVE-2025-2886 describes a flaw in the Amazon tough (TUF) client: missing validation of terminating delegations causes the client to continue searching the delegation list after a terminating delegation, potentially fetching a target from an incorrect source and altering contents. Affected softwar...
CVE-2025-2888
CVE-2025-2888 affects the Amazon tough client (The Update Framework) where, during a snapshot rollback, the client incorrectly caches timestamp metadata. If the next update checks this cache, update timestamp validation may fail, blocking subsequent updates until the cache is cleared. The issue i...
CVE-2025-2887
CVE-2025-2887 affects the tough (Rust) client used with The Update Framework (TUF). The vulnerability occurs during a target rollback where the client fails to detect the rollback for delegated targets, potentially causing the client to fetch a target from an incorrect source and alter target con...
CVE-2025-2885
CVE-2025-2885 affects the Tough root-metadata handling in the Amazon Tough (Rust) client library. The root metadata version number validation is missing, allowing an attacker to supply an arbitrary version instead of the intended one, which could cause the client to fetch a different or outdated ...
CVE-2021-41149
The CVE-2021-41149 issue concerns the tough Rust library (pre-0.12.0) where target names are not properly sanitized when caching a repository or saving targets to an output directory. This can allow files to be overwritten with arbitrary content anywhere on the system. A fix is available in versi...
CVE-2026-6968
CVE-2026-6968 affects awslabs/tough prior to tough-v0.22.0 (and related tuftool). The vulnerability arises from incomplete path traversal fixes, where write operations join the destination path before containment verification, enabling remote authenticated users with delegated signing authority t...
CVE-2026-6966
The CVE-2026-6966 issue affects awslabs/tough prior to tough-v0.22.0, where improper verification of cryptographic signature uniqueness in delegated role validation can allow remote authenticated users to bypass the TUF signature threshold by duplicating a valid signature, causing the client to a...
CVE-2026-6967
Affected software: awslabs/tough (before tough-v0.22.0) with delegated metadata validation. Root cause: missing expiration, hash, and length enforcement in delegated metadata validation causing load_delegations to bypass TUF integrity checks for delegated targets metadata. Impact: remote authenti...