Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for tough by AWS

    CVE-2026-6968 (GCVE-0-2026-6968)

    Vulnerability from nvd – Published: 2026-04-24 19:44 – Updated: 2026-04-24 20:10
    VLAI
    Title
    Multiple Path Traversal Variants in awslabs/tough
    Summary
    Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6968",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T20:09:33.745527Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T20:10:00.800Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.22.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "tuftool",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIncomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\u003c/p\u003e\u003cp\u003eWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.\u003c/p\u003e"
                }
              ],
              "value": "Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:59:42.176Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tough/0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tuftool/0.15.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Multiple Path Traversal Variants in awslabs/tough",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2026-6968",
        "datePublished": "2026-04-24T19:44:44.835Z",
        "dateReserved": "2026-04-24T16:15:48.228Z",
        "dateUpdated": "2026-04-24T20:10:00.800Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6967 (GCVE-0-2026-6967)

    Vulnerability from nvd – Published: 2026-04-24 19:41 – Updated: 2026-04-24 20:13
    VLAI
    Title
    Missing Delegated Metadata Validation in awslabs/tough
    Summary
    Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6967",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T20:13:04.619106Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T20:13:20.016Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.22.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "tuftool",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMissing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\u003c/p\u003e\u003cp\u003eWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.\u003c/p\u003e"
                }
              ],
              "value": "Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-141",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-141: Cache Poisoning"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:59:27.098Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tough/0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tuftool/0.15.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-4v58-8p28-2rq3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Delegated Metadata Validation in awslabs/tough",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2026-6967",
        "datePublished": "2026-04-24T19:41:43.460Z",
        "dateReserved": "2026-04-24T16:15:46.781Z",
        "dateUpdated": "2026-04-24T20:13:20.016Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6966 (GCVE-0-2026-6966)

    Vulnerability from nvd – Published: 2026-04-24 19:38 – Updated: 2026-04-24 20:15
    VLAI
    Title
    Signature Threshold Bypass in awslabs/tough Delegated Roles
    Summary
    Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6966",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T20:15:12.033311Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T20:15:28.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.22.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "tuftool",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\u003c/p\u003e\u003cp\u003eWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-475",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-475: Signature Spoofing by Misrepresentation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:59:12.012Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tough/0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tuftool/0.15.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Signature Threshold Bypass in awslabs/tough Delegated Roles",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2026-6966",
        "datePublished": "2026-04-24T19:38:24.907Z",
        "dateReserved": "2026-04-24T16:15:44.932Z",
        "dateUpdated": "2026-04-24T20:15:28.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2888 (GCVE-0-2025-2888)

    Vulnerability from nvd – Published: 2025-03-27 22:23 – Updated: 2025-10-14 18:27
    VLAI
    Title
    Improper timestamp caching during snapshot rollback in tough
    Summary
    During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1025 - Comparison Using Wrong Factors
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2888",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T14:33:15.822940Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T14:33:40.221Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eDuring a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e"
                }
              ],
              "value": "During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-25",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-25 Forced Deadlock"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1025",
                  "description": "CWE-1025: Comparison Using Wrong Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:27:20.982Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper timestamp caching during snapshot rollback in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2888",
        "datePublished": "2025-03-27T22:23:48.886Z",
        "dateReserved": "2025-03-27T21:08:16.138Z",
        "dateUpdated": "2025-10-14T18:27:20.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2887 (GCVE-0-2025-2887)

    Vulnerability from nvd – Published: 2025-03-27 22:23 – Updated: 2025-10-14 18:25
    VLAI
    Title
    Failure to detect delegated target rollback in tough
    Summary
    During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1025 - Comparison Using Wrong Factors
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Date Public
    2025-03-27 21:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2887",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T14:44:40.783814Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T14:44:49.310Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-03-27T21:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eDuring a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-25",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-25 Forced Deadlock"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1025",
                  "description": "CWE-1025: Comparison Using Wrong Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:25:28.087Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Failure to detect delegated target rollback in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2887",
        "datePublished": "2025-03-27T22:23:04.038Z",
        "dateReserved": "2025-03-27T21:08:15.590Z",
        "dateUpdated": "2025-10-14T18:25:28.087Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2886 (GCVE-0-2025-2886)

    Vulnerability from nvd – Published: 2025-03-27 22:22 – Updated: 2025-10-14 18:23
    VLAI
    Title
    Terminating targets role delegations are not respected in tough
    Summary
    Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-670 - Always-Incorrect Control Flow Implementation
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Date Public
    2025-03-27 21:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2886",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T15:43:34.765460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T15:43:49.713Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-03-27T21:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eMissing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-439",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-439 Manipulation During Distribution"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-670",
                  "description": "CWE-670 Always-Incorrect Control Flow Implementation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:23:47.183Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Terminating targets role delegations are not respected in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2886",
        "datePublished": "2025-03-27T22:22:14.382Z",
        "dateReserved": "2025-03-27T21:08:14.876Z",
        "dateUpdated": "2025-10-14T18:23:47.183Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2885 (GCVE-0-2025-2885)

    Vulnerability from nvd – Published: 2025-03-27 22:18 – Updated: 2025-10-14 18:22
    VLAI
    Title
    Root metadata version not validated in tough
    Summary
    Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1288 - Improper Validation of Consistency within Input
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Date Public
    2025-03-27 21:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2885",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T15:47:22.646997Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T15:47:35.890Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-03-27T21:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMissing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1288",
                  "description": "CWE-1288: Improper Validation of Consistency within Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:22:42.170Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Root metadata version not validated in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2885",
        "datePublished": "2025-03-27T22:18:11.727Z",
        "dateReserved": "2025-03-27T21:08:13.996Z",
        "dateUpdated": "2025-10-14T18:22:42.170Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-6968 (GCVE-0-2026-6968)

    Vulnerability from cvelistv5 – Published: 2026-04-24 19:44 – Updated: 2026-04-24 20:10
    VLAI
    Title
    Multiple Path Traversal Variants in awslabs/tough
    Summary
    Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6968",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T20:09:33.745527Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T20:10:00.800Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.22.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "tuftool",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eIncomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\u003c/p\u003e\u003cp\u003eWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.\u003c/p\u003e"
                }
              ],
              "value": "Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126: Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:59:42.176Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tough/0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tuftool/0.15.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-v57p-gppj-p9vg"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Multiple Path Traversal Variants in awslabs/tough",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2026-6968",
        "datePublished": "2026-04-24T19:44:44.835Z",
        "dateReserved": "2026-04-24T16:15:48.228Z",
        "dateUpdated": "2026-04-24T20:10:00.800Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6967 (GCVE-0-2026-6967)

    Vulnerability from cvelistv5 – Published: 2026-04-24 19:41 – Updated: 2026-04-24 20:13
    VLAI
    Title
    Missing Delegated Metadata Validation in awslabs/tough
    Summary
    Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6967",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T20:13:04.619106Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T20:13:20.016Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.22.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "tuftool",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMissing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\u003c/p\u003e\u003cp\u003eWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.\u003c/p\u003e"
                }
              ],
              "value": "Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-141",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-141: Cache Poisoning"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "LOW",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:L",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:59:27.098Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tough/0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tuftool/0.15.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-4v58-8p28-2rq3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Delegated Metadata Validation in awslabs/tough",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2026-6967",
        "datePublished": "2026-04-24T19:41:43.460Z",
        "dateReserved": "2026-04-24T16:15:46.781Z",
        "dateUpdated": "2026-04-24T20:13:20.016Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6966 (GCVE-0-2026-6966)

    Vulnerability from cvelistv5 – Published: 2026-04-24 19:38 – Updated: 2026-04-24 20:15
    VLAI
    Title
    Signature Threshold Bypass in awslabs/tough Delegated Roles
    Summary
    Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6966",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T20:15:12.033311Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T20:15:28.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.22.0"
                }
              ]
            },
            {
              "defaultStatus": "unaffected",
              "product": "tuftool",
              "vendor": "AWS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eImproper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\u003c/p\u003e\u003cp\u003eWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0.\u003c/p\u003e"
                }
              ],
              "value": "Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata.\n\nWe recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-475",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-475: Signature Spoofing by Misrepresentation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T19:59:12.012Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/2026-019-aws/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tough/0.22.0"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://crates.io/crates/tuftool/0.15.0"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-8m7c-8m39-rv4x"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Signature Threshold Bypass in awslabs/tough Delegated Roles",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2026-6966",
        "datePublished": "2026-04-24T19:38:24.907Z",
        "dateReserved": "2026-04-24T16:15:44.932Z",
        "dateUpdated": "2026-04-24T20:15:28.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2888 (GCVE-0-2025-2888)

    Vulnerability from cvelistv5 – Published: 2025-03-27 22:23 – Updated: 2025-10-14 18:27
    VLAI
    Title
    Improper timestamp caching during snapshot rollback in tough
    Summary
    During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1025 - Comparison Using Wrong Factors
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2888",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T14:33:15.822940Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T14:33:40.221Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eDuring a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e"
                }
              ],
              "value": "During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-25",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-25 Forced Deadlock"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1025",
                  "description": "CWE-1025: Comparison Using Wrong Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:27:20.982Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Improper timestamp caching during snapshot rollback in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2888",
        "datePublished": "2025-03-27T22:23:48.886Z",
        "dateReserved": "2025-03-27T21:08:16.138Z",
        "dateUpdated": "2025-10-14T18:27:20.982Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2887 (GCVE-0-2025-2887)

    Vulnerability from cvelistv5 – Published: 2025-03-27 22:23 – Updated: 2025-10-14 18:25
    VLAI
    Title
    Failure to detect delegated target rollback in tough
    Summary
    During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1025 - Comparison Using Wrong Factors
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Date Public
    2025-03-27 21:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2887",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T14:44:40.783814Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T14:44:49.310Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-03-27T21:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eDuring a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "During a target rollback, the client fails to detect the rollback for delegated targets. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-25",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-25 Forced Deadlock"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1025",
                  "description": "CWE-1025: Comparison Using Wrong Factors",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:25:28.087Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-q6r9-r9pw-4cf7"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Failure to detect delegated target rollback in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2887",
        "datePublished": "2025-03-27T22:23:04.038Z",
        "dateReserved": "2025-03-27T21:08:15.590Z",
        "dateUpdated": "2025-10-14T18:25:28.087Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2886 (GCVE-0-2025-2886)

    Vulnerability from cvelistv5 – Published: 2025-03-27 22:22 – Updated: 2025-10-14 18:23
    VLAI
    Title
    Terminating targets role delegations are not respected in tough
    Summary
    Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-670 - Always-Incorrect Control Flow Implementation
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Date Public
    2025-03-27 21:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2886",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T15:43:34.765460Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T15:43:49.713Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-03-27T21:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eMissing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
                }
              ],
              "value": "Missing validation of terminating delegation causes the client to continue searching the defined delegation list, even after searching a terminating delegation. This could cause the client to fetch a target from an incorrect source, altering the target contents. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-439",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-439 Manipulation During Distribution"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-670",
                  "description": "CWE-670 Always-Incorrect Control Flow Implementation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:23:47.183Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-v4wr-j3w6-mxqc"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Terminating targets role delegations are not respected in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2886",
        "datePublished": "2025-03-27T22:22:14.382Z",
        "dateReserved": "2025-03-27T21:08:14.876Z",
        "dateUpdated": "2025-10-14T18:23:47.183Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2885 (GCVE-0-2025-2885)

    Vulnerability from cvelistv5 – Published: 2025-03-27 22:18 – Updated: 2025-10-14 18:22
    VLAI
    Title
    Root metadata version not validated in tough
    Summary
    Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1288 - Improper Validation of Consistency within Input
    Assigner
    Impacted products
    Vendor Product Version
    AWS tough Affected: 0.1.0 , < 0.20.0 (semver)
    Create a notification for this product.
    Date Public
    2025-03-27 21:30
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2885",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-28T15:47:22.646997Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-28T15:47:35.890Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "tough",
              "repo": "https://github.com/awslabs/tough",
              "vendor": "AWS",
              "versions": [
                {
                  "lessThan": "0.20.0",
                  "status": "affected",
                  "version": "0.1.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2025-03-27T21:30:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cp\u003eMissing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-153",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-153 Input Data Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "HIGH",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1288",
                  "description": "CWE-1288: Improper Validation of Consistency within Input",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-14T18:22:42.170Z",
            "orgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
            "shortName": "AMZN"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/awslabs/tough/security/advisories/GHSA-5vmp-m5v2-hx47"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/awslabs/tough/releases/tag/tough-v0.20.0"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Root metadata version not validated in tough",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ff89ba41-3aa1-4d27-914a-91399e9639e5",
        "assignerShortName": "AMZN",
        "cveId": "CVE-2025-2885",
        "datePublished": "2025-03-27T22:18:11.727Z",
        "dateReserved": "2025-03-27T21:08:13.996Z",
        "dateUpdated": "2025-10-14T18:22:42.170Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }