Jku

**Name of the Vulnerable Software and Affected Versions** sigstore-python versions prior to 4.2.0 **Description** sigstore-python is a Python tool used for generating and verifying Sigstore signatures. A flaw exists in the OAuth authentication flow, making it susceptible to Cross-Site Request Forgery. The ` OAuthSession` creates a unique "state" parameter for authentication requests, but the server response does not cross-check this value, potentially allowing attackers to exploit the vulnerability. **Recommendations** Update to version 4.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** tough versions prior to 0.20.0 **Description** The issue arises from missing validation of the root metadata version number, allowing an actor to supply an arbitrary version number to the client. This could lead to the client trusting an outdated or rotated root role, potentially trusting content associated with a previous root role. Users should upgrade to a version that incorporates the new fixes to prevent this issue. **Recommendations** For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

**Name of the Vulnerable Software and Affected Versions** tough versions prior to 0.20.0 **Description** The issue arises from missing validation of terminating delegation, causing the client to continue searching the defined delegation list even after encountering a terminating delegation. This could lead to the client fetching a target from an incorrect source, altering the target contents. Delegations are a mechanism that allows multiple identities to provide and sign content within a single repository, with terminating delegations and delegation priority giving unambiguous control over how overlapping delegations are resolved. However, the tough client erroneously does not terminate the search as required and accepts information from a lower-priority delegation that should have been ignored. When interacting with repositories that use delegations, the tough client could fetch targets owned by the incorrect role, allowing an actor with delegated ownership to provide arbitrary contents. **Recommendations** For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

**Name of the Vulnerable Software and Affected Versions** tough versions prior to 0.20.0 **Description** The issue arises during a target rollback when the client fails to detect the rollback for delegated targets, potentially causing it to fetch a target from an incorrect source and alter the target contents. This could lead to the client trusting and downloading outdated targets that it should reject. **Recommendations** For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

**Name of the Vulnerable Software and Affected Versions** tough versions prior to 0.20.0 **Description** The issue arises during a snapshot rollback when the client incorrectly caches the timestamp metadata. This leads to a failure in update timestamp validation, preventing further updates until the cache is cleared. The problem occurs because the client will persist invalid timestamp metadata to its cache, which may then cause it to incorrectly identify valid timestamp metadata as being rolled back. This prevents the client from consuming valid updates. **Recommendations** For versions prior to 0.20.0, upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

**Name of the Vulnerable Software and Affected Versions** python-tuf versions prior to 0.19 **Description** The issue is a path traversal vulnerability that can overwrite files ending in `.json` anywhere on the client system when calling `get one valid targetinfo()`. This occurs because the rolename is used to form the filename and may contain path traversal characters, such as `../../name.json`. The impact is mitigated by the fact that it only affects implementations allowing arbitrary rolename selection for delegated targets metadata, requires the ability to insert new metadata and get the role delegated, and the written file content must be a valid, signed targets file with a `.json` extension. **Recommendations** For versions prior to 0.19, update to version 0.19 or newer to resolve the issue. As a temporary workaround, consider restricting the allowed character set for rolenames or storing metadata in files named in a way that is not vulnerable, although these approaches require modifying python-tuf.