CVE-2024-47534 HIGH

CVE-2024-47534: Incorrect delegation lookups can make go-tuf download the wrong artifact

Vendor Theupdateframework
Product go-tuf
Weakness CWE-362
Published October 1, 2024
Last update November 21, 2024

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly trace the delegations "B"->"C"->"A". This vulnerability is fixed in 2.0.1.

Key dates

02Disclosure timeline

October 1, 2024 CVE published
November 21, 2024 Record updated