Tough Library Terminating Delegation Validation Vulnerability
Vulnerability
A vulnerability exists in the Tough library, specifically in versions prior to 0.20.0, related to the improper handling of terminating delegations. This flaw allows the client to continue searching through the delegation list even after encountering a terminating delegation, potentially leading to the retrieval of targets from incorrect sources and altering the content of those targets. The issue arises when the library interacts with The Update Framework (TUF) repositories that utilize delegations, as Tough may fetch targets from wrong roles, allowing delegated identities to inject arbitrary content into the client's update process.
Impact
Exploitation of this vulnerability could result in the Tough client fetching and accepting targets from incorrect delegations, thereby allowing unauthorized modifications of target contents. This issue has been assigned a moderate severity rating.
Remediation
Users are advised to upgrade to Tough version 0.20.0 or later and to apply the same update to any forked or derivative code. Instructions for updating can be found in the Tough GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.