Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI4MjgtOXZoNi05bTZq
Client Denial of Service on TUF
Impact
An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if multiple files are impacted.
The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.
Patches
No fix exists for this issue.
Workarounds
No workarounds are known for this issue.
References
Permalink: https://github.com/advisories/GHSA-2828-9vh6-9m6jJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI4MjgtOXZoNi05bTZq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-2828-9vh6-9m6j, CVE-2020-6173
References:
- https://github.com/theupdateframework/tuf/security/advisories/GHSA-2828-9vh6-9m6j
- https://nvd.nist.gov/vuln/detail/CVE-2020-6173
- https://github.com/theupdateframework/tuf/issues/973
- https://github.com/theupdateframework/tuf/commits/develop
- https://github.com/advisories/GHSA-2828-9vh6-9m6j
Blast Radius: 8.4
Affected Packages
pypi:tuf
Dependent packages: 2Dependent repositories: 39
Downloads: 167,367 last month
Affected Version Ranges: <= 0.13.0
No known fixed version
All affected versions: 0.7.5, 0.9.8, 0.9.9, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.12.0, 0.12.1, 0.12.2, 0.13.0