8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15093

GHSA ID

GHSA-5q2r-92f9-4m49

EPSS Score

0.31836%

CWE

CWE-347

Published

8/25/2021

Updated

2/3/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15093

CVE-2020-15093: Improper verification of signature threshold in tough

Impact

The tough library, prior to 0.7.1, does not properly verify the uniqueness of keys in the signatures provided to meet the threshold of cryptographic signatures. It allows someone with access to a valid signing key to create multiple valid signatures in order to circumvent TUF requiring a minimum threshold of unique keys before the metadata is considered valid.

AWS would like to thank Erick Tryzelaar of the Google Fuchsia Team for reporting this issue.

Patches

A fix is available in version 0.7.1.

Workarounds

No workarounds to this issue are known.

References

CVE-2020-6174 is assigned to the same issue in the TUF reference implementation.

https://github.com/theupdateframework/tuf/pull/974 https://nvd.nist.gov/vuln/detail/CVE-2020-6174

For more information

If you have any questions or comments about this advisory, contact AWS Security at aws-security@amazon.com.

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15093

GHSA ID

GHSA-5q2r-92f9-4m49

EPSS Score

0.31836%

CWE

CWE-347

Published

8/25/2021

Updated

2/3/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tough	rust	< 0.7.1	0.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper counting of unique cryptographic signatures. The core issue exists in functions responsible for: 1) Verifying signature thresholds (verify_threshold) and 2) Performing signature verification (verify_signatures). These functions likely counted multiple signatures from the same key as separate valid signatures rather than enforcing uniqueness. The Python TUF reference implementation's fix shows the solution requires deduplicating by key ID, indicating the vulnerable functions would be those handling signature aggregation and threshold verification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t T** tou** li*r*ry, prior to *.*.*, *o*s not prop*rly v*ri*y t** uniqu*n*ss o* k*ys in t** si*n*tur*s provi*** to m**t t** t*r*s*ol* o* *rypto*r*p*i* si*n*tur*s. It *llows som*on* wit* ****ss to * v*li* si*nin* k*y to *r**t* multipl* v*li*

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ountin* o* uniqu* *rypto*r*p*i* si*n*tur*s. T** *or* issu* *xists in *un*tions r*sponsi*l* *or: *) V*ri*yin* si*n*tur* t*r*s*ol*s (v*ri*y_t*r*s*ol*) *n* *) P*r*ormin* si*n*tur* v*ri*i**tion (v*ri*y_si*n*tur*s).

8.6

Basic Information

Concerned about an active attack path?

CVE-2020-15093: Improper verification of signature threshold in tough

Impact

Patches

Workarounds

References

For more information

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI