CVE-2020-6174

The CVE-2020-6174 issue affects the tough library (Rust/crates.io) prior to version 0.7.1, where signatures’ threshold verification is broken. Specifically, the vulnerability allows an attacker to duplicate a valid signature and circumvent the minimum threshold required for metadata validity. A f...

CVE-2021-41131

CVE-2021-41131 affects the Python reference implementation of The Update Framework (python-tuf), specifically the clients in the tuf/client and tuf/ngclient components. A path-traversal flaw allows an attacker to craft a rolename that, on calling get_one_valid_targetinfo(), can cause the overwrit...

CVE-2020-6173

CVE-2020-6173 affects The Update Framework (TUF) versions 0.7.2–0.12.1, with Uncontrolled Resource Consumption leading to client DoS. The issue arises when an attacker with repository file access can modify metadata and create many invalid signatures, delaying clients during signature verificatio...

CVE-2020-15163

CVE-2020-15163 affects the Python TUF (The Update Framework) reference implementation prior to 0.12, which could incorrectly trust a previously downloaded root metadata file that failed verification. An attacker capable of serving multiple new root-metadata versions (MITM) could culminate in a ve...