CVE-2024-47534

Oct. 1, 2024, 6:35 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

go-tuf

  • 2.0.1

Source

security-advisories@github.com

Tags

CVE-2024-47534 details

Published : Oct. 1, 2024, 4:15 p.m.
Last Modified : Oct. 1, 2024, 6:35 p.m.

Description

go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly trace the delegations "B"->"C"->"A". This vulnerability is fixed in 2.0.1.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

NONE

Base Score

0.0

Exploitability Score

3.9

Impact Score

0.0

Base Severity

NONE

This website uses the NVD API, but is not approved or certified by it.