CVE-2020-6173: Client Denial of Service on TUF
(updated )
An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if multiple files are impacted.
The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.
References
- github.com/advisories/GHSA-2828-9vh6-9m6j
- github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2020-146.yaml
- github.com/theupdateframework/tuf
- github.com/theupdateframework/tuf/commits/develop
- github.com/theupdateframework/tuf/issues/973
- github.com/theupdateframework/tuf/security/advisories/GHSA-2828-9vh6-9m6j
- nvd.nist.gov/vuln/detail/CVE-2020-6173
Detect and mitigate CVE-2020-6173 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →