GHSA-2828-9vh6-9m6j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2828-9vh6-9m6j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-2828-9vh6-9m6j/GHSA-2828-9vh6-9m6j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2828-9vh6-9m6j
- Aliases
- Published
- 2020-08-21T16:25:48Z
- Modified
- 2024-11-18T22:46:46.155030Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Client Denial of Service on TUF
- Details
-
Impact
An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if multiple files are impacted.
The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.
Patches
No fix exists for this issue.
Workarounds
No workarounds are known for this issue.
References
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-08-21T16:19:09Z" }- References
-
- https://github.com/theupdateframework/tuf/security/advisories/GHSA-2828-9vh6-9m6j
- https://nvd.nist.gov/vuln/detail/CVE-2020-6173
- https://github.com/theupdateframework/tuf/issues/973
- https://github.com/pypa/advisory-database/tree/main/vulns/tuf/PYSEC-2020-146.yaml
- https://github.com/theupdateframework/tuf
- https://github.com/theupdateframework/tuf/commits/develop
Affected packages
PyPI / tuf
Package
- Name
- tuf
- View open source insights on deps.dev
- Purl
- pkg:pypi/tuf