GHSA-3633-5h82-39pq: Go-tuf Improperly handles multiple key IDs for the same public keys in attacker-controlled metadata

September 16, 2022 (updated May 20, 2024)

While the impact is potentially high, the severity is low as it requires either attackers or the repository (deliberately or mistakenly respectively) to have produced such an incorrect distribution of public keys, causing clients < 0.3.2 to fall prey to this issue.

References

github.com/advisories/GHSA-3633-5h82-39pq
github.com/theupdateframework/go-tuf
github.com/theupdateframework/go-tuf/pull/369
github.com/theupdateframework/go-tuf/security/advisories/GHSA-3633-5h82-39pq
pkg.go.dev/vuln/GO-2022-1004

Detect and mitigate GHSA-3633-5h82-39pq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →