CVE-2025-2885

MEDIUM4.2EPSS 0.26%

tough root metadata version is not checked for sequential versioning

發布日:2025/3/28修改日:2025/10/14
也稱為:GHSA-5vmp-m5v2-hx47

描述

## Summary When updating the root role, a TUF client must establish a trusted line of continuity to the latest set of keys. While sequentially downloading new versions of the root metadata file, tough will not check that the root object version it received was the next sequential version from the previously trusted root metadata. ## Impact The tough client will trust an outdated or rotated root role in the event that an actor with control of the storage medium of a trusted TUF repository inappropriately replaced the contents of one of the root metadata files with an adequately signed previous version. As a result, tough could trust content associated with a previous root role. Impacted versions: < v0.20.0 ## Patches A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ## Workarounds There is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version. ## References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [[email protected]](mailto:[email protected]). Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting ## Acknowledgement These issues were identified by the [TUF-Conformance project](https://github.com/theupdateframework/tuf-conformance). We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1MEDIUM4.2CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

參考連結(6)