GCVE - cpe:2.3:a:aws:tuftool:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:aws:tuftool:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Aws (`e6707f00-6abb-51df-808c-9e3417305027`)
Product	Tuftool (`e3f9887f-6e49-5d21-a963-b93e3ffffff3`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-6968`	not_vulnerable	2026-06-03 15:27:55.942027	Multiple Path Traversal Variants in awslabs/tough MEDIUM (5.9) Incomplete path traversal fixes in awslabs/tough before tough-v0.22.0 allow remote authenticated users with delegated signing authority to write files outside intended output directories via absolute target names in copy_target/link_target, symlinked parent directories in save_target, or symlinked metadata filenames in SignedRole::write, because write paths trust the joined destination path without post-resolution containment verification. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0. Published: 2026-04-24T19:44:44.835Z Updated: 2026-04-24T20:10:00.800Z Open on db.gcve.eu Reference links https://aws.amazon.com/security/security-bulletins/2026-019-aws/ https://github.com/awslabs/tough/releases/tag/tough-v0.22.0 https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0 https://crates.io/crates/tough/0.22.0 https://crates.io/crates/tuftool/0.15.0	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-6967`	not_vulnerable	2026-06-03 15:27:55.941479	Missing Delegated Metadata Validation in awslabs/tough MEDIUM (5.9) Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local metadata cache, because load_delegations does not apply the same validation checks as the top-level targets metadata path. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0. Published: 2026-04-24T19:41:43.460Z Updated: 2026-04-24T20:13:20.016Z Open on db.gcve.eu Reference links https://aws.amazon.com/security/security-bulletins/2026-019-aws/ https://github.com/awslabs/tough/releases/tag/tough-v0.22.0 https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0 https://crates.io/crates/tough/0.22.0 https://crates.io/crates/tuftool/0.15.0	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-6966`	not_vulnerable	2026-06-03 15:27:55.937726	Signature Threshold Bypass in awslabs/tough Delegated Roles MEDIUM (5.3) Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role metadata. We recommend you upgrade to tough-v0.22.0 / tuftool-v0.15.0. Published: 2026-04-24T19:38:24.907Z Updated: 2026-04-24T20:15:28.842Z Open on db.gcve.eu Reference links https://aws.amazon.com/security/security-bulletins/2026-019-aws/ https://github.com/awslabs/tough/releases/tag/tough-v0.22.0 https://github.com/awslabs/tough/releases/tag/tuftool-v0.15.0 https://crates.io/crates/tough/0.22.0 https://crates.io/crates/tuftool/0.15.0	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.