CVE-2020-6174: Incorrect threshold signature computation in TUF
(updated )
Metadadata signature verification, as used in tuf.client.updater, counted each of multiple signatures with identical authorized keyids separately towards the threshold. Therefore, an attacker with access to a valid signing key could create multiple valid signatures in order to meet the minimum threshold of keys before the metadata was considered valid.
The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.
References
- github.com/advisories/GHSA-pwqf-9h7j-7mv8
- github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2020-147.yaml
- github.com/theupdateframework/python-tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e
- github.com/theupdateframework/tuf
- github.com/theupdateframework/tuf/pull/974
- github.com/theupdateframework/tuf/releases/tag/v0.12.2
- github.com/theupdateframework/tuf/security/advisories/GHSA-pwqf-9h7j-7mv8
- nvd.nist.gov/vuln/detail/CVE-2020-6174
Detect and mitigate CVE-2020-6174 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →