QwikSec

Security Database

CVE

CWE

Training

CVE-2020-15093

Published: Jul 9, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

8.6

HIGH

Description

The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.

Vendor	Product	Versions
awslabs	tough	affected `< 0.7.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49

x_refsource_CONFIRM

https://crates.io/crates/tough

x_refsource_MISC

https://github.com/theupdateframework/tuf/pull/974

x_refsource_MISC

https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.