Lucene search
+L
TheupdateframeworkGo-tuf

4 matches found

CVE
CVE
added 2022/05/05 10:30 p.m.76 views

CVE-2022-29173

The CVE-2022-29173 issue affects go-tuf, a Go implementation of The Update Framework (TUF). The root cause is rollback-attack vulnerabilities in the client workflow for non-root roles: the client may ignore previously trusted metadata and may treat timestamp/snapshot files as trusted before valid...

8.8CVSS8.3AI score0.00532EPSS
CVE
CVE
added 2026/01/22 2:16 a.m.41 views

CVE-2026-23991

CVE-2026-23991 affects go-tuf (Go implementation of The Update Framework). Affects versions 2.0.0 through 2.3.0; versions 2.3.1 and later are fixed. The issue occurs when the TUF repository or its mirrors return invalid but well-formed JSON metadata, causing the client to panic during parsing bef...

7.5CVSS5.5AI score0.0053EPSS
CVE
CVE
added 2026/01/27 12:45 a.m.31 views

CVE-2026-24686

The CVE affects go-tuf (The Update Framework for Go), specifically the TAP 4 Multirepo Client. A map-file repository name (repoName) is used as a filesystem path component when selecting the LocalMetadataDir cache. If an untrusted map file is provided, an attacker can supply a repoName containing...

4.7CVSS5.9AI score0.00211EPSS
CVE
CVE
added 2026/01/22 2:20 a.m.24 views

CVE-2026-23992

The CVE-2026-23992 entry concerns go-tuf (Go implementation of The Update Framework). It states that in versions 2.0.0 up to but not including 2.3.1, a compromised or misconfigured TUF repository could configure signature thresholds to 0, effectively disabling signature verification. This can all...

7.5CVSS5.5AI score0.00196EPSS