#VU65785 Improper validation of integrity check value in Go implementation of The Update Framework (TUF) - CVE-2022-29173
Published: July 26, 2022
Vulnerability identifier: #VU65785
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-29173
CWE-ID: CWE-354
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Go implementation of The Update Framework (TUF)
Go implementation of The Update Framework (TUF)
Software vendor:
The Update Framework
The Update Framework
Description
The vulnerability allows a remote attacker to bypass expected security restrictions.
The vulnerability exists due to incorrect implementation of the client workflow for updating the metadata files for roles other than the root role. Checks for rollback attacks are not implemented correctly, as a result a remote attacker can force clients to install older versions of software that may contain security vulnerabilities.
Remediation
Install updates from vendor's website.