Improper Authentication Affecting github.com/theupdateframework/go-tuf/verify package, versions <0.3.2


0.0
medium

Snyk CVSS

    Attack Complexity High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMTHEUPDATEFRAMEWORKGOTUFVERIFY-3026985
  • published 18 Sep 2022
  • disclosed 16 Sep 2022
  • credit Unknown

How to fix?

Upgrade github.com/theupdateframework/go-tuf/verify to version 0.3.2 or higher.

Overview

Affected versions of this package are vulnerable to Improper Authentication. If an attacker is able to control a threshold of keys to insert the same public key more than once with different key IDs into signed, trusted metadata on a TUF repository, then they can cause the same signature from the same public key to be counted more than once against the threshold of signatures because they were mistakenly distinguished due to having different key IDs.