{"id":"CVE-2020-15093","details":"The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A fix is available in version 0.7.1. CVE-2020-6174 is assigned to the same vulnerability in the TUF reference implementation.","aliases":["GHSA-5q2r-92f9-4m49","RUSTSEC-2020-0024"],"modified":"2026-04-10T04:22:49.548512Z","published":"2020-07-09T19:15:11.413Z","related":["GHSA-5q2r-92f9-4m49"],"references":[{"type":"ADVISORY","url":"https://crates.io/crates/tough"},{"type":"ADVISORY","url":"https://github.com/awslabs/tough/security/advisories/GHSA-5q2r-92f9-4m49"},{"type":"FIX","url":"https://github.com/theupdateframework/tuf/commit/2977188139d065ff3356c3cb4aec60c582b57e0e"},{"type":"FIX","url":"https://github.com/theupdateframework/tuf/pull/974"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/awslabs/tough","events":[{"introduced":"0"},{"fixed":"d8c9d06f73f7203878060698e4c1847e7555062d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.7.1"}]}},{"type":"GIT","repo":"https://github.com/theupdateframework/python-tuf","events":[{"introduced":"0"},{"fixed":"2977188139d065ff3356c3cb4aec60c582b57e0e"}]}],"versions":["olpc-cjson-v0.1.0","olpc-cjson-v0.1.1","tough-kms-v0.1.0","tough-kms-v0.1.1","tough-kms-v0.3.1","tough-kms-v0.3.2","tough-kms-v0.3.3","tough-kms-v0.3.4","tough-ssm-v0.1.0","tough-ssm-v0.2.0","tough-ssm-v0.3.0","tough-ssm-v0.4.0","tough-ssm-v0.6.1","tough-ssm-v0.6.2","tough-ssm-v0.6.3","tough-ssm-v0.6.4","tough-v0.1.0","tough-v0.11.1","tough-v0.11.2","tough-v0.11.3","tough-v0.12.0","tough-v0.2.0","tough-v0.3.0","tough-v0.4.0","tough-v0.5.0","tough-v0.6.0","tough-v0.7.0","tough-v0.8.0","tough-v0.9.0","tuftool-v0.1.0","tuftool-v0.1.1","tuftool-v0.2.0","tuftool-v0.3.0","tuftool-v0.4.0","tuftool-v0.4.1","tuftool-v0.5.0","tuftool-v0.6.2","tuftool-v0.6.3","tuftool-v0.6.4","tuftool-v0.7.0","v0.10.0","v0.10.2","v0.11.0","v0.11.1","v0.11.2.dev1","v0.11.2.dev2","v0.11.2.dev3","v0.12.0","v0.12.1","v0.7.5","v0.9.8","v0.9.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15093.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"}]}