Incorrect authorization in The Update Framework (TUF) - #VU131743
Published: September 6, 2022 / Updated: May 18, 2026
Vulnerability identifier: #VU131743
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Update Framework
Affected software:
The Update Framework (TUF)
The Update Framework (TUF)
Detailed vulnerability description
The vulnerability allows a remote user to bypass root metadata signature threshold verification.
The vulnerability exists due to improper access control in _verify_root_self_signed() when verifying self-signatures in new root metadata. A remote user can provide multiple signatures from a single new root key to bypass root metadata signature threshold verification.
Exploitation requires control of one new root key, a valid threshold of old trusted root keys to sign the new root metadata, publication of that metadata on the repository, and client rotation to the new root metadata.
Remediation
Install security update from vendor's website.