CVE-2020-15093 - OpenCVE

The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Amazon	Tough

Configuration 1 [-]

cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*

No data.

References

Link	Providers
https://crates.io/crates/tough
https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49
https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e
https://github.com/theupdateframework/tuf/pull/974

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-07-09T18:45:16

Updated: 2024-08-04T13:08:21.663Z

Reserved: 2020-06-25T00:00:00

Link: CVE-2020-15093

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-07-09T19:15:11.413

Modified: 2021-10-26T19:58:35.917

Link: CVE-2020-15093

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "tough", "vendor": "awslabs", "versions": [{"status": "affected", "version": "< 0.7.1"}]}], "descriptions": [{"lang": "en", "value": "The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-09T18:45:16", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49"}, {"tags": ["x_refsource_MISC"], "url": "https://crates.io/crates/tough"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/theupdateframework/tuf/pull/974"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e"}], "source": {"advisory": "GHSA-5q2r-92f9-4m49", "discovery": "UNKNOWN"}, "title": "Improper verification of signature threshold in tough", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15093", "STATE": "PUBLIC", "TITLE": "Improper verification of signature threshold in tough"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tough", "version": {"version_data": [{"version_value": "< 0.7.1"}]}}]}, "vendor_name": "awslabs"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347: Improper Verification of Cryptographic Signature"}]}]}, "references": {"reference_data": [{"name": "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49", "refsource": "CONFIRM", "url": "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49"}, {"name": "https://crates.io/crates/tough", "refsource": "MISC", "url": "https://crates.io/crates/tough"}, {"name": "https://github.com/theupdateframework/tuf/pull/974", "refsource": "MISC", "url": "https://github.com/theupdateframework/tuf/pull/974"}, {"name": "https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e", "refsource": "MISC", "url": "https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e"}]}, "source": {"advisory": "GHSA-5q2r-92f9-4m49", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:08:21.663Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://crates.io/crates/tough"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/theupdateframework/tuf/pull/974"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15093", "datePublished": "2020-07-09T18:45:16", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:08:21.663Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*", "matchCriteriaId": "F72751E9-9A5B-46F0-93CF-AC75DDEF1C17", "versionEndExcluding": "0.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation."}, {"lang": "es", "value": "La biblioteca tough (Rust/crates.io) anterior a la versi\u00f3n 0.7.1, no verifica apropiadamente el umbral de firmas criptogr\u00e1ficas. Permite a un atacante duplicar una firma v\u00e1lida a fin de eludir TUF que requiere un umbral m\u00ednimo de firmas \u00fanicas antes de que los metadatos se consideraran v\u00e1lidos. Una correcci\u00f3n est\u00e1 disponible en la versi\u00f3n 0.7.1. El CVE-2020-6174 es asignado a la misma vulnerabilidad en la implementaci\u00f3n de la referencia TUF"}], "id": "CVE-2020-15093", "lastModified": "2021-10-26T19:58:35.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-07-09T19:15:11.413", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://crates.io/crates/tough"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/theupdateframework/tuf/pull/974"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}