High severityNVD Advisory· Published Jul 9, 2020· Updated Aug 4, 2024
Improper verification of signature threshold in tough
CVE-2020-15093
Description
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
toughcrates.io | < 0.7.1 | 0.7.1 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-5q2r-92f9-4m49ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15093ghsaADVISORY
- crates.io/crates/toughmitrex_refsource_MISC
- github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49ghsax_refsource_CONFIRMWEB
- github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0eghsax_refsource_MISCWEB
- github.com/theupdateframework/tuf/pull/974ghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2020-0024.htmlghsaWEB
News mentions
0No linked articles in our index yet.