GHSA-pwqf-9h7j-7mv8

Source

https://github.com/advisories/GHSA-pwqf-9h7j-7mv8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-pwqf-9h7j-7mv8/GHSA-pwqf-9h7j-7mv8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-pwqf-9h7j-7mv8

Aliases

Published

2020-08-21T16:25:26Z

Modified

2024-11-18T23:14:56.738638Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Incorrect threshold signature computation in TUF

Details

Impact

Metadadata signature verification, as used in tuf.client.updater, counted each of multiple signatures with identical authorized keyids separately towards the threshold. Therefore, an attacker with access to a valid signing key could create multiple valid signatures in order to meet the minimum threshold of keys before the metadata was considered valid.

The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.

Patches

A fix is available in version 0.12.2 or newer.

Workarounds

No workarounds are known for this issue.

References

CVE-2020-6174
Pull request resolving the issue PR 974

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-347"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-21T16:25:02Z"
}

References

Affected packages

PyPI / tuf

Package

Name: tuf; View open source insights on deps.dev
Purl: pkg:pypi/tuf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.12.2

Affected versions

0.*

0.7.5

0.9.8

0.9.9

0.10.0

0.10.1

0.10.2

0.11.dev0

0.11.0

0.11.1

0.11.2.dev1

0.11.2.dev2

0.11.2.dev3

0.12.dev0

0.12.dev1

0.12.dev2

0.12.0

0.12.1