Erik Maclean

**Name of the Vulnerable Software and Affected Versions** tough library versions prior to 0.7.1 **Description** The issue arises from the tough library's failure to properly verify the uniqueness of keys in the signatures provided, allowing an attacker with access to a valid signing key to create multiple valid signatures. This can be used to circumvent the requirement for a minimum threshold of unique signatures before metadata is considered valid. A fix is available in version 0.7.1. **Recommendations** For versions prior to 0.7.1, update to version 0.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the signing keys to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TUF (aka The Update Framework) versions prior to 0.7.1 TUF (aka The Update Framework) through 0.12.1 **Description** The issue is related to improper verification of cryptographic signatures, allowing someone with access to a valid signing key to create multiple valid signatures and circumvent the requirement of a minimum threshold of unique keys. This enables an attacker to make the metadata appear valid. A fix is available, and the issue was reported by Erick Tryzelaar of the Google Fuchsia Team. **Recommendations** For TUF (aka The Update Framework) versions prior to 0.7.1, update to version 0.7.1 to resolve the issue. For TUF (aka The Update Framework) through 0.12.1, update to a version later than 0.12.1 to resolve the issue.