Amazon Tough
By the Year
In 2024 there have been 0 vulnerabilities in Amazon Tough . Tough did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 7.30 |
| 2020 | 1 | 8.60 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Tough vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Amazon Tough Security Vulnerabilities
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories
CVE-2021-41150
6.5 - Medium
- October 19, 2021
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.
Directory traversal
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories
CVE-2021-41149
8.1 - High
- October 19, 2021
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.
Directory traversal
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures
CVE-2020-15093
8.6 - High
- July 09, 2020
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.
Improper Verification of Cryptographic Signature
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Amazon Tough or by Amazon? Click the Watch button to subscribe.
