CVE-2026-23992
MEDIUM5.9EPSS 0.01%go-tuf improperly validates the configured threshold for delegations
描述
# Security Disclosure: Improper validation of configured threshold for delegations ## Summary A compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. ## Impact Unathorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. ## Patches Upgrade to v2.3.1 ## Workarounds Always make sure that the TUF metadata roles are configured with a threshold of at least 1. ## Affected code: The `metadata.VerifyDelegate` did not verify the configured threshold prior to comparison. This means that a misconfigured TUF repository could disable the signature verification by setting the threshold to 0, or a negative value (and so always make the signature threshold computation to pass).
受影響套件(3)
- Debian/golang-github-theupdateframework-go-tuffrom 0
- Go/github.com/theupdateframework/go-tuf/v2from 0, < 2.3.1
- Go/github.com/theupdateframework/go-tuf/v2from 0, < 2.3.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-23992
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-23992
- PATCHhttps://github.com/theupdateframework/go-tuf
- WEBhttps://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0
- WEBhttps://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1
- WEBhttps://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525