Improper Authentication Affecting github.com/theupdateframework/go-tuf/verify package, versions <0.3.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-GOLANG-GITHUBCOMTHEUPDATEFRAMEWORKGOTUFVERIFY-3026985
- published 18 Sep 2022
- disclosed 16 Sep 2022
- credit Unknown
How to fix?
github.com/theupdateframework/go-tuf/verify to version 0.3.2 or higher.
Affected versions of this package are vulnerable to Improper Authentication. If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then they can cause the same signature from the same public key to be counted more than once against the threshold of signatures because they were mistakenly distinguished due to having different key IDs.