VYPR

Tough

by Awslabs

cargo: tough

Source repositories

CVEs (6)

  • CVE-2026-6968MedApr 24, 2026
    risk 0.38cvss 5.9epss 0.01

    Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in…

  • CVE-2026-6967MedApr 24, 2026
    risk 0.38cvss 5.9epss 0.00

    Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the…

  • CVE-2026-6966MedApr 24, 2026
    risk 0.34cvss 5.3epss 0.00

    Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept…

  • CVE-2021-41150Oct 19, 2021
    risk 0.00cvss epss 0.01

    Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem.…

  • CVE-2021-41149Oct 19, 2021
    risk 0.00cvss epss 0.01

    Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When…

  • CVE-2020-15093Jul 9, 2020
    risk 0.00cvss epss 0.01

    The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is…