Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI4MjgtOXZoNi05bTZq

Client Denial of Service on TUF

Impact

An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if multiple files are impacted.

The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.

Patches

No fix exists for this issue.

Workarounds

No workarounds are known for this issue.

References

• CVE-2020-6173
• Issue #973

Permalink: https://github.com/advisories/GHSA-2828-9vh6-9m6j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTI4MjgtOXZoNi05bTZq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: 3 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Percentage: 0.00098
EPSS Percentile: 0.41863

Identifiers: GHSA-2828-9vh6-9m6j, CVE-2020-6173
References:

• https://github.com/theupdateframework/tuf/security/advisories/GHSA-2828-9vh6-9m6j
• https://nvd.nist.gov/vuln/detail/CVE-2020-6173
• https://github.com/theupdateframework/tuf/issues/973
• https://github.com/theupdateframework/tuf/commits/develop
• https://github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2020-146.yaml
• https://github.com/advisories/GHSA-2828-9vh6-9m6j

Repository: https://github.com/theupdateframework/tuf
Blast Radius: 8.4

Affected Packages