CVE-2020-15093
HIGHtough < 0.7.1 - Cryptographic Signature Verification Bypass via Duplicate Signature
Title source: llmDescription
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49
Third Party Advisory x_refsource_misc
https://crates.io/crates/tough
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/theupdateframework/tuf/pull/974
Patch, Third Party Advisory x_refsource_misc
https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e
Scores
CVSS v3
8.6
EPSS
0.0017
EPSS Percentile
38.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Details
CWE
CWE-347
Status
published
Products (2)
amazon/tough
< 0.7.1
crates.io/tough
0 - 0.7.1crates.io
Published
Jul 09, 2020
Tracked Since
Feb 18, 2026