CVE-2020-15093

Description

The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Affected products

awslabs / tough< 0.7.1 – < 0.7.1

References

VENDOR_ADVISORYhttps://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49
MISChttps://crates.io/crates/tough
PATCHhttps://github.com/theupdateframework/tuf/pull/974
PATCHhttps://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e