9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6174

GHSA ID

GHSA-pwqf-9h7j-7mv8

EPSS Score

0.41998%

CWE

CWE-347

Published

8/21/2020

Updated

11/18/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-6174

CVE-2020-6174: Incorrect threshold signature computation in TUF

Impact

Metadadata signature verification, as used in tuf.client.updater, counted each of multiple signatures with identical authorized keyids separately towards the threshold. Therefore, an attacker with access to a valid signing key could create multiple valid signatures in order to meet the minimum threshold of keys before the metadata was considered valid.

The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.

Patches

A fix is available in version 0.12.2 or newer.

Workarounds

No workarounds are known for this issue.

References

CVE-2020-6174
Pull request resolving the issue PR 974

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6174

GHSA ID

GHSA-pwqf-9h7j-7mv8

EPSS Score

0.41998%

CWE

CWE-347

Published

8/21/2020

Updated

11/18/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tuf	pip	< 0.12.2	0.12.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how signature verification counted identical keyids. The critical code change was in tuf/sig.py where the return statement changed from 'len(good_sigs) >= threshold' to 'len(set(good_sigs)) >= threshold', explicitly addressing duplicate keyid counting. The verify function's pre-patch behavior directly matches the vulnerability description of improper signature threshold computation. Supporting evidence includes the CWE-347 mapping, test cases added for duplicate keyid scenarios, and the maintainers' own security advisory explicitly referencing this function's behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t M*t*****t* si*n*tur* v*ri*i**tion, *s us** in `tu*.*li*nt.up**t*r`, *ount** **** o* multipl* si*n*tur*s wit* i**nti**l *ut*oriz** k*yi*s s*p*r*t*ly tow*r*s t** t*r*s*ol*. T**r**or*, *n *tt**k*r wit* ****ss to * v*li* si*nin* k*y *oul* *r*

Reasoning

T** vuln*r**ility st*ms *rom *ow si*n*tur* v*ri*i**tion *ount** i**nti**l k*yi*s. T** *riti**l *o** ***n** w*s in tu*/si*.py w**r* t** r*turn st*t*m*nt ***n*** *rom 'l*n(*oo*_si*s) >= t*r*s*ol*' to 'l*n(s*t(*oo*_si*s)) >= t*r*s*ol*', *xpli*itly ***r*

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-6174: Incorrect threshold signature computation in TUF

Impact

Patches

Workarounds

References

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI