medium
4.2
CWE
670
Advisory Published
Updated

GHSA-v4wr-j3w6-mxqc

First published: Fri Mar 28 2025(Updated: )

## Summary Delegations are a mechanism defined by the TUF specification that allow multiple different identities to provide and sign content within a single repository. Terminating delegations and delegation priority give a TUF repository unambiguous control over how overlapping delegations are resolved. tough erroneously will not terminate a search as required, and will accept information from a lower-priority delegation that should have been ignored. ## Impact When interacting with TUF repositories that use delegations, the tough client could fetch targets owned by the incorrect role. An actor which had delegated ownership of a subset of a TUF repository could provide arbitrary contents to tough clients for targets owned by the delegating identity. Impacted versions: < v0.20.0 ## Patches A fix for this issue is available in tough version 0.20.0 and later. Customers are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. ## Workarounds There is no recommended work around. Customers are advised to upgrade to version 0.20.0 or the latest version. ## References If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page [1] or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue. [1] Vulnerability reporting page: https://aws.amazon.com/security/vulnerability-reporting ## Acknowledgement We would like to thank Google for collaborating on this issue through the coordinated vulnerability disclosure process.

Affected SoftwareAffected VersionHow to fix
rust/tough<0.20.0
0.20.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of GHSA-v4wr-j3w6-mxqc?

    The severity of GHSA-v4wr-j3w6-mxqc is rated as critical due to the potential for overlapping delegations in TUF repositories.

  • How do I fix GHSA-v4wr-j3w6-mxqc?

    To fix GHSA-v4wr-j3w6-mxqc, upgrade the tough package to version 0.20.0 or later.

  • What does GHSA-v4wr-j3w6-mxqc affect?

    GHSA-v4wr-j3w6-mxqc affects the tough package in Rust versions prior to 0.20.0.

  • What are the implications of GHSA-v4wr-j3w6-mxqc?

    The implications of GHSA-v4wr-j3w6-mxqc include the risk of unauthorized content signing and potential repository integrity violations.

  • Who should be aware of GHSA-v4wr-j3w6-mxqc?

    Developers and maintainers using the tough package for TUF repositories should be aware of GHSA-v4wr-j3w6-mxqc to ensure proper security measures are in place.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203