AIKIDO-2024-10052
tuf is vulnerable to Improper Verification of Cryptographic Signature
10
Low Risk
This Affects:
tufTL;DR
Vulnerable versions of this package lack proper verification of cryptographic signatures in the Targets.get_delegated_role process when using tuf.api.metadata. An attacker can manipulate the verification outcome by convincing a Metadata API user to invoke this process with a delegated_role argument that was not legitimately delegated by the Targets, while using succinct delegation. However, users following the typical client workflow are not affected, as the delegated role name comes from the trusted delegating Targets themselves. Additionally, the actual signature verification remains secure, as the verified metadata still requires correct signing by the keys specified in the delegating role.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
tuf is vulnerable to Improper Verification of Cryptographic Signature in versions 2.0.0 - 3.1.0.
How to fix this
Upgrade the tuf library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant