Improper validation of integrity check value in Go implementation of The Update Framework (TUF) - CVE-2022-29173
Published: July 26, 2022
Vulnerability identifier: #VU65785
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-29173
CWE-ID: CWE-354
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Update Framework
Affected software:
Go implementation of The Update Framework (TUF)
Go implementation of The Update Framework (TUF)
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass expected security restrictions.
The vulnerability exists due to incorrect implementation of the client workflow for updating the metadata files for roles other than the root role. Checks for rollback attacks are not implemented correctly, as a result a remote attacker can force clients to install older versions of software that may contain security vulnerabilities.
How to mitigate CVE-2022-29173
Install updates from vendor's website.