blob: 4b89249e70ef2970e08934db22937542e8e2c8f7 [file] [log] [blame]
id: GO-2022-0444
modules:
- module: github.com/theupdateframework/go-tuf
versions:
- fixed: 0.3.0
vulnerable_at: 0.2.0
packages:
- package: github.com/theupdateframework/go-tuf/client
symbols:
- Client.Update
- Client.UpdateRoots
- Client.downloadMetaFromSnapshot
- Client.downloadMetaFromTimestamp
- Client.decodeRoot
- Client.decodeTargets
- Client.decodeTimestamp
derived_symbols:
- Client.Download
- Client.Init
- Client.Target
- package: github.com/theupdateframework/go-tuf/util
symbols:
- TimestampFileMetaEqual
summary: Version rollback attack in github.com/theupdateframework/go-tuf
description: |-
The TUF client is vulnerable to rollback attacks, in which an attacker causes a
client to install software older than the software the client previously knew to
be available.
published: 2022-07-01T20:07:44Z
cves:
- CVE-2022-29173
ghsas:
- GHSA-66x3-6cw3-v5gj
references:
- fix: https://github.com/theupdateframework/go-tuf/commit/ed6788e710fc3093a7ecc2d078bf734c0f200d8d