Lucene search
K
AmazonTough

10 matches found

CVE
CVE
added 2021/10/19 7:55 p.m.91 views

CVE-2021-41150

CVE-2021-41150 affects the Tough Rust library (pre-0.12.0). The issue is improper sanitization of delegated role names when caching or loading a repository, allowing files ending with .json to be overwritten with role metadata anywhere on the system. This is caused by insufficient handling during...

8.2CVSS7.3AI score0.0124EPSS
CVE
CVE
added 2020/07/09 6:45 p.m.70 views

CVE-2020-15093

The CVE-2020-15093 entry concerns the tough library (Rust/crates.io) prior to version 0.7.1, where the threshold of cryptographic signatures is not properly verified. This allows an attacker to duplicate a valid signature to bypass TUF’s minimum threshold of unique signatures before metadata is c...

8.6CVSS9AI score0.01357EPSS
CVE
CVE
added 2025/03/27 10:22 p.m.70 views

CVE-2025-2886

CVE-2025-2886 describes a flaw in the Amazon tough (TUF) client: missing validation of terminating delegations causes the client to continue searching the delegation list after a terminating delegation, potentially fetching a target from an incorrect source and altering contents. Affected softwar...

5.7CVSS6.7AI score0.00307EPSS
CVE
CVE
added 2025/03/27 10:23 p.m.70 views

CVE-2025-2888

CVE-2025-2888 affects the Amazon tough client (The Update Framework) where, during a snapshot rollback, the client incorrectly caches timestamp metadata. If the next update checks this cache, update timestamp validation may fail, blocking subsequent updates until the cache is cleared. The issue i...

5.7CVSS6.8AI score0.00307EPSS
CVE
CVE
added 2025/03/27 10:23 p.m.65 views

CVE-2025-2887

CVE-2025-2887 affects the tough (Rust) client used with The Update Framework (TUF). The vulnerability occurs during a target rollback where the client fails to detect the rollback for delegated targets, potentially causing the client to fetch a target from an incorrect source and alter target con...

5.7CVSS6.8AI score0.00307EPSS
CVE
CVE
added 2025/03/27 10:18 p.m.64 views

CVE-2025-2885

CVE-2025-2885 affects the Tough root-metadata handling in the Amazon Tough (Rust) client library. The root metadata version number validation is missing, allowing an attacker to supply an arbitrary version instead of the intended one, which could cause the client to fetch a different or outdated ...

5.7CVSS7AI score0.00307EPSS
CVE
CVE
added 2021/10/19 6:0 p.m.52 views

CVE-2021-41149

The CVE-2021-41149 issue concerns the tough Rust library (pre-0.12.0) where target names are not properly sanitized when caching a repository or saving targets to an output directory. This can allow files to be overwritten with arbitrary content anywhere on the system. A fix is available in versi...

8.5CVSS8.1AI score0.01077EPSS
CVE
CVE
added 2026/04/24 7:44 p.m.27 views

CVE-2026-6968

CVE-2026-6968 affects awslabs/tough prior to tough-v0.22.0 (and related tuftool). The vulnerability arises from incomplete path traversal fixes, where write operations join the destination path before containment verification, enabling remote authenticated users with delegated signing authority t...

7.1CVSS5.4AI score0.0052EPSS
CVE
CVE
added 2026/04/24 7:38 p.m.24 views

CVE-2026-6966

The CVE-2026-6966 issue affects awslabs/tough prior to tough-v0.22.0, where improper verification of cryptographic signature uniqueness in delegated role validation can allow remote authenticated users to bypass the TUF signature threshold by duplicating a valid signature, causing the client to a...

7CVSS5.3AI score0.00262EPSS
CVE
CVE
added 2026/04/24 7:41 p.m.17 views

CVE-2026-6967

Affected software: awslabs/tough (before tough-v0.22.0) with delegated metadata validation. Root cause: missing expiration, hash, and length enforcement in delegated metadata validation causing load_delegations to bypass TUF integrity checks for delegated targets metadata. Impact: remote authenti...

7.1CVSS5.3AI score0.00246EPSS