Jkuf

**Name of the Vulnerable Software and Affected Versions** tough versions prior to 0.12.0 **Description** The tough library does not properly sanitize target names when caching a repository or saving specific targets to an output directory. This could allow files to be overwritten with arbitrary content anywhere on the system. **Recommendations** For versions prior to 0.12.0, update to version 0.12.0 to resolve the issue. At the moment, there is no information about other workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** tough versions prior to 0.12.0 **Description** The tough library does not properly sanitize delegated role names when caching a repository or loading a repository from the filesystem. This can lead to files ending with the .json extension being overwritten with role metadata anywhere on the system. The issue is mitigated by the fact that it only affects implementations that allow arbitrary rolename selection for delegated targets metadata, and the attack requires the ability to insert new metadata for the path-traversing role and get the role delegated by an existing targets metadata. The written file content is heavily restricted since it needs to be a valid, signed targets file, and the file extension is always .json. **Recommendations** For tough versions prior to 0.12.0, update to version 0.12.0 or newer to resolve the issue. As a temporary workaround, consider restricting the allowed character set for rolenames or storing metadata in files named in a way that is not vulnerable, although these approaches require code changes.