CVE-2024-47534

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions go-tuf versions prior to 2.0.1

Description The go-tuf client inconsistently traces the delegations, which can result in downloading the wrong artifact. For example, if targets delegate to "A" and "B", and "B" delegates to "C", the client should trace the delegations in the order "A" then "B" then "C", but it may incorrectly trace the delegations "B"->"C"->"A". This issue is related to the GetRolesForTarget function, which returns a map that causes this behavior.

Recommendations For go-tuf versions prior to 2.0.1, update to version 2.0.1 to fix the inconsistent delegation tracing issue. As a temporary workaround, consider reviewing and verifying the delegation paths manually to minimize the risk of exploitation.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

CVE-2024-47534

GHSA-4F8R-QQR9-FQ8J

GO-2024-3166

OPENSUSE-SU-2024:0350-1

OPENSUSE-SU-2024:14447-1

OPENSUSE-SU-2024_3911-1

SUSE-SU-2024:3911-1

Affected Products

Suse

Go-Tuf

CVE-2024-47534

Weakness Enumeration

Related Identifiers

Affected Products

References · 80