CVE-2020-15093

Name of the Vulnerable Software and Affected Versions tough library versions prior to 0.7.1

Description The issue arises from the tough library's failure to properly verify the uniqueness of keys in the signatures provided, allowing an attacker with access to a valid signing key to create multiple valid signatures. This can be used to circumvent the requirement for a minimum threshold of unique signatures before metadata is considered valid. A fix is available in version 0.7.1.

Recommendations For versions prior to 0.7.1, update to version 0.7.1 to resolve the issue. As a temporary workaround, consider restricting access to the signing keys to minimize the risk of exploitation.