Tough Missing Root Metadata Version Validation Vulnerability
Vulnerability
A vulnerability exists in the Tough library, specifically in versions prior to 0.20.0, due to inadequate validation of the root metadata version number. This flaw could enable an actor to send an arbitrary version number to the client, instead of the correct one, potentially altering the version that the client retrieves. As a result, the Tough client might trust outdated or improperly signed metadata, leading to incorrect content being fetched from a TUF repository.
Impact
Exploitation of this vulnerability allows for the manipulation of metadata versioning, causing the Tough client to trust outdated or incorrectly signed root metadata. This could result in the client accepting content associated with a previous root role, undermining the integrity of the update process.
Remediation
Users are advised to upgrade to Tough version 0.20.0 or later. If using forked or derivative code, ensure it is patched to include the latest fixes.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.