Primary

Context

Tough Rollback Vulnerability in Delegated Targets Metadata

Vulnerability

A vulnerability exists in Tough versions prior to 0.20.0, where the client fails to properly detect rollbacks in delegated targets during a target update process. This oversight can lead the client to retrieve targets from incorrect sources, potentially altering the contents of those targets. The issue arises because, while Tough checks for updates in regular targets metadata, it does not apply the same scrutiny to delegated targets. As a result, Tough may inadvertently trust and download outdated targets that should have been rejected.

Impact

This vulnerability could cause Tough to download and trust outdated delegated targets metadata, leading to the use of incorrect or modified target contents.

Remediation

Users are advised to upgrade to Tough version 0.20.0 or later and to patch any forked or derivative code to include the latest fixes.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tough Rollback Vulnerability in Delegated Targets Metadata

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating