Vulnerability CVE-2020-15093
Published: 2020-07-09

Description:
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.

Type:

CWE-347

 (Improper Verification of Cryptographic Signature)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Amazon -> Tough 

 References:
https://crates.io/crates/tough
https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49
https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e
https://github.com/theupdateframework/tuf/pull/974
Copyright 2024, cxsecurity.com

 

Back to Top