Improper Authentication Affecting github.com/theupdateframework/go-tuf/verify package, versions <0.3.2
Snyk CVSS
Attack Complexity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMTHEUPDATEFRAMEWORKGOTUFVERIFY-3026985
- published 18 Sep 2022
- disclosed 16 Sep 2022
- credit Unknown
How to fix?
Upgrade github.com/theupdateframework/go-tuf/verify to version 0.3.2 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authentication. If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then they can cause the same signature from the same public key to be counted more than once against the threshold of signatures because they were mistakenly distinguished due to having different key IDs.