High severityOSV Advisory· Published Oct 1, 2024· Updated Apr 15, 2026
CVE-2024-47534
CVE-2024-47534
Description
go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly trace the delegations "B"->"C"->"A". This vulnerability is fixed in 2.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/theupdateframework/go-tuf/v2Go | < 2.0.1 | 2.0.1 |
Affected products
153- Range: v0.1.0, v0.2.0, v0.3.0, …
- osv-coords152 versionspkg:apk/chainguard/aactlpkg:apk/chainguard/apkopkg:apk/chainguard/chainctlpkg:apk/chainguard/cosignpkg:apk/chainguard/cosign-fipspkg:apk/chainguard/docker-credential-cgrpkg:apk/chainguard/falcoctlpkg:apk/chainguard/falcoctl-fipspkg:apk/chainguard/flux-source-controllerpkg:apk/chainguard/flux-source-controller-fipspkg:apk/chainguard/flux-source-controller-iamguarded-compatpkg:apk/chainguard/ghpkg:apk/chainguard/gh-docpkg:apk/chainguard/gitsignpkg:apk/chainguard/gitsign-configpkg:apk/chainguard/gitsign-credential-cachepkg:apk/chainguard/kubescapepkg:apk/chainguard/kyverno-1.12pkg:apk/chainguard/kyverno-background-controller-1.12pkg:apk/chainguard/kyverno-background-controller-fips-1.12pkg:apk/chainguard/kyverno-cleanup-controller-1.12pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.12pkg:apk/chainguard/kyverno-cli-1.12pkg:apk/chainguard/kyverno-cli-fips-1.12pkg:apk/chainguard/kyverno-fips-1.12pkg:apk/chainguard/kyverno-init-container-1.12pkg:apk/chainguard/kyverno-init-container-fips-1.12pkg:apk/chainguard/kyverno-reports-controller-1.12pkg:apk/chainguard/kyverno-reports-controller-fips-1.12pkg:apk/chainguard/melangepkg:apk/chainguard/neuvector-sigstore-interfacepkg:apk/chainguard/neuvector-sigstore-interface-fipspkg:apk/chainguard/policy-controllerpkg:apk/chainguard/policy-controller-fipspkg:apk/chainguard/policy-controller-testerpkg:apk/chainguard/policy-controller-tester-fipspkg:apk/chainguard/policy-controller-webhookpkg:apk/chainguard/rekorpkg:apk/chainguard/rekor-backfill-indexpkg:apk/chainguard/rekor-backfill-redispkg:apk/chainguard/rekor-clipkg:apk/chainguard/rekor-fipspkg:apk/chainguard/rekor-fips-backfill-indexpkg:apk/chainguard/rekor-fips-clipkg:apk/chainguard/rekor-fips-serverpkg:apk/chainguard/rekor-serverpkg:apk/chainguard/sigstore-scaffoldingpkg:apk/chainguard/sigstore-scaffolding-cloudsqlproxypkg:apk/chainguard/sigstore-scaffolding-ctlog-createctconfigpkg:apk/chainguard/sigstore-scaffolding-ctlog-managectrootspkg:apk/chainguard/sigstore-scaffolding-ctlog-verifyfulciopkg:apk/chainguard/sigstore-scaffolding-fipspkg:apk/chainguard/sigstore-scaffolding-fips-cloudsqlproxypkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-createctconfigpkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-managectrootspkg:apk/chainguard/sigstore-scaffolding-fips-ctlog-verifyfulciopkg:apk/chainguard/sigstore-scaffolding-fips-fulcio-createcertspkg:apk/chainguard/sigstore-scaffolding-fips-getoidctokenpkg:apk/chainguard/sigstore-scaffolding-fips-rekor-createsecretpkg:apk/chainguard/sigstore-scaffolding-fips-trillian-createdbpkg:apk/chainguard/sigstore-scaffolding-fips-trillian-createtreepkg:apk/chainguard/sigstore-scaffolding-fips-trillian-updatetreepkg:apk/chainguard/sigstore-scaffolding-fips-tsa-createcertchainpkg:apk/chainguard/sigstore-scaffolding-fips-tuf-createsecretpkg:apk/chainguard/sigstore-scaffolding-fips-tuf-serverpkg:apk/chainguard/sigstore-scaffolding-fulcio-createcertspkg:apk/chainguard/sigstore-scaffolding-getoidctokenpkg:apk/chainguard/sigstore-scaffolding-rekor-createsecretpkg:apk/chainguard/sigstore-scaffolding-trillian-createdbpkg:apk/chainguard/sigstore-scaffolding-trillian-createtreepkg:apk/chainguard/sigstore-scaffolding-trillian-updatetreepkg:apk/chainguard/sigstore-scaffolding-tsa-createcertchainpkg:apk/chainguard/sigstore-scaffolding-tuf-createsecretpkg:apk/chainguard/sigstore-scaffolding-tuf-serverpkg:apk/chainguard/slsa-verifierpkg:apk/chainguard/spire-agentpkg:apk/chainguard/spire-agent-fipspkg:apk/chainguard/spire-oidc-discovery-providerpkg:apk/chainguard/spire-oidc-discovery-provider-fipspkg:apk/chainguard/spire-serverpkg:apk/chainguard/spire-server-fipspkg:apk/chainguard/tekton-chainspkg:apk/chainguard/tekton-chains-fipspkg:apk/chainguard/tknpkg:apk/chainguard/tkn-fipspkg:apk/chainguard/trivypkg:apk/chainguard/trivy-fipspkg:apk/chainguard/vexctlpkg:apk/chainguard/wolfictlpkg:apk/chainguard/zarfpkg:apk/chainguard/zotpkg:apk/wolfi/aactlpkg:apk/wolfi/apkopkg:apk/wolfi/cosignpkg:apk/wolfi/cosign-fipspkg:apk/wolfi/falcoctlpkg:apk/wolfi/flux-source-controllerpkg:apk/wolfi/flux-source-controller-iamguarded-compatpkg:apk/wolfi/ghpkg:apk/wolfi/gh-docpkg:apk/wolfi/gitsignpkg:apk/wolfi/gitsign-configpkg:apk/wolfi/gitsign-credential-cachepkg:apk/wolfi/kubescapepkg:apk/wolfi/kyverno-1.12pkg:apk/wolfi/kyverno-background-controller-1.12pkg:apk/wolfi/kyverno-cleanup-controller-1.12pkg:apk/wolfi/kyverno-cli-1.12pkg:apk/wolfi/kyverno-init-container-1.12pkg:apk/wolfi/kyverno-reports-controller-1.12pkg:apk/wolfi/melangepkg:apk/wolfi/neuvector-sigstore-interfacepkg:apk/wolfi/policy-controllerpkg:apk/wolfi/policy-controller-testerpkg:apk/wolfi/policy-controller-webhookpkg:apk/wolfi/rekorpkg:apk/wolfi/rekor-backfill-indexpkg:apk/wolfi/rekor-backfill-redispkg:apk/wolfi/rekor-clipkg:apk/wolfi/rekor-serverpkg:apk/wolfi/sigstore-scaffoldingpkg:apk/wolfi/sigstore-scaffolding-cloudsqlproxypkg:apk/wolfi/sigstore-scaffolding-ctlog-createctconfigpkg:apk/wolfi/sigstore-scaffolding-ctlog-managectrootspkg:apk/wolfi/sigstore-scaffolding-ctlog-verifyfulciopkg:apk/wolfi/sigstore-scaffolding-fulcio-createcertspkg:apk/wolfi/sigstore-scaffolding-getoidctokenpkg:apk/wolfi/sigstore-scaffolding-rekor-createsecretpkg:apk/wolfi/sigstore-scaffolding-trillian-createdbpkg:apk/wolfi/sigstore-scaffolding-trillian-createtreepkg:apk/wolfi/sigstore-scaffolding-trillian-updatetreepkg:apk/wolfi/sigstore-scaffolding-tsa-createcertchainpkg:apk/wolfi/sigstore-scaffolding-tuf-createsecretpkg:apk/wolfi/sigstore-scaffolding-tuf-serverpkg:apk/wolfi/slsa-verifierpkg:apk/wolfi/spire-agentpkg:apk/wolfi/spire-oidc-discovery-providerpkg:apk/wolfi/spire-serverpkg:apk/wolfi/tekton-chainspkg:apk/wolfi/tknpkg:apk/wolfi/trivypkg:apk/wolfi/vexctlpkg:apk/wolfi/wolfictlpkg:apk/wolfi/zarfpkg:apk/wolfi/zotpkg:golang/github.com/theupdateframework/go-tuf/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/govulncheck-vulndb&distro=SUSE%20Package%20Hub%2012
< 0.4.12-r37+ 151 more
- (no CPE)range: < 0.4.12-r37
- (no CPE)range: < 0.30.20-r0
- (no CPE)range: < 0.2.59-r0
- (no CPE)range: < 3.0.2-r1
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 0.2.59-r0
- (no CPE)range: < 0.11.4-r1
- (no CPE)range: < 0.11.4-r1
- (no CPE)range: < 1.7.3-r0
- (no CPE)range: < 1.7.3-r1
- (no CPE)range: < 1.7.3-r0
- (no CPE)range: < 2.83.0-r0
- (no CPE)range: < 2.83.0-r0
- (no CPE)range: < 0.13.0-r5
- (no CPE)range: < 0.13.0-r5
- (no CPE)range: < 0.13.0-r5
- (no CPE)range: < 3.0.18-r0
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r25
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r25
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r25
- (no CPE)range: < 1.12.7-r25
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r25
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r25
- (no CPE)range: < 0.32.0-r1
- (no CPE)range: < 0_git20250629-r4
- (no CPE)range: < 0_git20251020-r1
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.13.1-r1
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.13.1-r1
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.4.2-r1
- (no CPE)range: < 1.4.2-r1
- (no CPE)range: < 1.4.2-r1
- (no CPE)range: < 1.4.2-r1
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 2.7.1-r3
- (no CPE)range: < 1.13.3-r0
- (no CPE)range: < 1.13.3-r1
- (no CPE)range: < 1.13.3-r0
- (no CPE)range: < 1.13.3-r1
- (no CPE)range: < 1.13.3-r0
- (no CPE)range: < 1.13.3-r1
- (no CPE)range: < 0.26.0-r0
- (no CPE)range: < 0.22.2-r0
- (no CPE)range: < 0.42.0-r3
- (no CPE)range: < 0.42.0-r3
- (no CPE)range: < 0.67.2-r1
- (no CPE)range: < 0.67.2-r1
- (no CPE)range: < 0.4.1-r1
- (no CPE)range: < 0.38.21-r0
- (no CPE)range: < 0.65.1-r1
- (no CPE)range: < 2.1.1-r3
- (no CPE)range: < 0.4.12-r37
- (no CPE)range: < 0.30.20-r0
- (no CPE)range: < 3.0.2-r1
- (no CPE)range: < 3.0.2-r1
- (no CPE)range: < 0.11.4-r1
- (no CPE)range: < 1.7.3-r0
- (no CPE)range: < 1.7.3-r0
- (no CPE)range: < 2.83.0-r0
- (no CPE)range: < 2.83.0-r0
- (no CPE)range: < 0.13.0-r5
- (no CPE)range: < 0.13.0-r5
- (no CPE)range: < 0.13.0-r5
- (no CPE)range: < 3.0.18-r0
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 1.12.7-r22
- (no CPE)range: < 0.32.0-r1
- (no CPE)range: < 0_git20250629-r4
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 1.3.6-r9
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.25-r1
- (no CPE)range: < 0.7.26-r0
- (no CPE)range: < 2.7.1-r3
- (no CPE)range: < 1.13.3-r0
- (no CPE)range: < 1.13.3-r0
- (no CPE)range: < 1.13.3-r0
- (no CPE)range: < 0.26.0-r0
- (no CPE)range: < 0.42.0-r3
- (no CPE)range: < 0.67.2-r1
- (no CPE)range: < 0.4.1-r1
- (no CPE)range: < 0.38.21-r0
- (no CPE)range: < 0.65.1-r1
- (no CPE)range: < 2.1.1-r3
- (no CPE)range: < 2.0.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-1.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241030T212825-150000.1.9.1
- (no CPE)range: < 0.0.20241104T154416-5.1
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-4f8r-qqr9-fq8jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47534ghsaADVISORY
- github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.gonvdWEB
- github.com/theupdateframework/go-tuf/commit/edc30b474f5afd4cc603e17149704d5aa605151dnvdWEB
- github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819nvdWEB
- github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8jnvdWEB
- github.com/theupdateframework/tuf-conformance/pull/115nvdWEB
- pkg.go.dev/vuln/GO-2024-3166ghsaWEB
News mentions
0No linked articles in our index yet.