4 matches found
CVE-2022-29173
The CVE-2022-29173 issue affects go-tuf, a Go implementation of The Update Framework (TUF). The root cause is rollback-attack vulnerabilities in the client workflow for non-root roles: the client may ignore previously trusted metadata and may treat timestamp/snapshot files as trusted before valid...
CVE-2026-23991
CVE-2026-23991 affects go-tuf (Go implementation of The Update Framework). Affects versions 2.0.0 through 2.3.0; versions 2.3.1 and later are fixed. The issue occurs when the TUF repository or its mirrors return invalid but well-formed JSON metadata, causing the client to panic during parsing bef...
CVE-2026-24686
The CVE affects go-tuf (The Update Framework for Go), specifically the TAP 4 Multirepo Client. A map-file repository name (repoName) is used as a filesystem path component when selecting the LocalMetadataDir cache. If an untrusted map file is provided, an attacker can supply a repoName containing...
CVE-2026-23992
The CVE-2026-23992 entry concerns go-tuf (Go implementation of The Update Framework). It states that in versions 2.0.0 up to but not including 2.3.1, a compromised or misconfigured TUF repository could configure signature thresholds to 0, effectively disabling signature verification. This can all...