VDB
CVE-2024-47534
CVE-2024-47534
PUBLISHED
CVSS 8.199999809265137 HIGH
go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly trace the delegations "B"->"C"->"A". This vulnerability is fixed in 2.0.1.
EPSS 0.26% · 49.5th percentile
Risk Scores
CVSS v4.0
8.199999809265137
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.26%
49.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | theupdateframework/go-tuf/v2 | 0, 0 |
| theupdateframework | go-tuf | 0, 0 |
| theupdateframework | go-tuf | *, >= 2.0.0, < 2.0.1 |
Timeline
- Jan 20, 1970 Fix PR Merged
- Jan 21, 1970 Security Advisory
- Oct 1, 2024 CVE Published
- Oct 1, 2024 PoC Published
- Oct 2, 2024 EPSS Score
- Oct 5, 2024 Coalition ESS Score
- Oct 11, 2024 CVE Updated
- Oct 17, 2024 Coalition ESS Score
- Oct 21, 2024 EPSS Score
- Nov 9, 2024 EPSS Score
- Nov 28, 2024 EPSS Score
- Dec 18, 2024 EPSS Score
References
- https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j url
- https://github.com/theupdateframework/tuf-conformance/pull/115 url
- https://github.com/theupdateframework/go-tuf/commit/edc30b474f5afd4cc603e17149704d5aa605151d url
- https://github.com/theupdateframework/go-tuf/commit/f36420caba9edbfdfd64f95a9554c0836d9cf819 url
- https://github.com/theupdateframework/go-tuf/blob/f95222bdd22d2ac4e5b8ed6fe912b645e213c3b5/metadata/metadata.go#L565-L580 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-47534 advisory
- https://github.com/theupdateframework/go-tuf package
- https://pkg.go.dev/vuln/GO-2024-3166 url