Vulnerability Report: GO-2022-1004

GHSA-3633-5h82-39pq
Affects: github.com/theupdateframework/go-tuf
Published: Sep 21, 2022
Modified: May 20, 2024

An attacker with the ability to insert public keys into a TUF repository can cause clients to accept a staged change that has not been signed by the correct threshold of signatures.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-3633-5h82-39pq.

Affected Packages

Path

Versions

Symbols
github.com/theupdateframework/go-tuf/verify

before v0.3.2
6 affected symbols

Aliases

GHSA-3633-5h82-39pq

References

https://github.com/advisories/GHSA-3633-5h82-39pq
https://github.com/theupdateframework/go-tuf/pull/369
https://vuln.go.dev/ID/GO-2022-1004.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL