medium
4.2
CWE
1288
Advisory Published
Updated

GHSA-5vmp-m5v2-hx47

First published: Fri Mar 28 2025(Updated: )

## Summary When updating the root role, a TUF client must establish a trusted line of continuity to the latest set of keys. While sequentially downloading new versions of the root metadata file, tough will not check that the root object version it received was the next sequential version from the previously trusted root metadata. ## Impact The tough client will trust an outdated or rotated root role in the event that an actor with control of the storage medium of a trusted TUF repository inappropriately replaced the contents of one of the root metadata files with an adequately signed previous version. As a result, tough could trust content associated with a previous root role. Impacted versions: < v0.20.0 ## Patches A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ## Workarounds There is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version. ## References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting ## Acknowledgement We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.

Affected SoftwareAffected VersionHow to fix
rust/tough<0.20.0
0.20.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of GHSA-5vmp-m5v2-hx47?

    The severity of GHSA-5vmp-m5v2-hx47 is classified as moderate.

  • How do I fix GHSA-5vmp-m5v2-hx47?

    To fix GHSA-5vmp-m5v2-hx47, you should update the tough package to version 0.20.0 or later.

  • What vulnerability does GHSA-5vmp-m5v2-hx47 address?

    GHSA-5vmp-m5v2-hx47 addresses an issue in the way TUF clients handle the root metadata file, which may lead to improper key continuity.

  • Which software is affected by GHSA-5vmp-m5v2-hx47?

    GHSA-5vmp-m5v2-hx47 affects the tough package in versions prior to 0.20.0.

  • What are the potential consequences of GHSA-5vmp-m5v2-hx47?

    The potential consequences include an inability to securely update the root metadata, which may expose clients to inconsistent key states.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203