{"id":"GO-2022-0444","summary":"Version rollback attack in github.com/theupdateframework/go-tuf","details":"The TUF client is vulnerable to rollback attacks, in which an attacker causes a client to install software older than the software the client previously knew to be available.","aliases":["CVE-2022-29173","GHSA-66x3-6cw3-v5gj"],"modified":"2024-05-20T16:03:47Z","published":"2022-07-01T20:07:44Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0444","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/theupdateframework/go-tuf/commit/ed6788e710fc3093a7ecc2d078bf734c0f200d8d"}],"affected":[{"package":{"name":"github.com/theupdateframework/go-tuf","ecosystem":"Go","purl":"pkg:golang/github.com/theupdateframework/go-tuf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Client.Download","Client.Init","Client.Target","Client.Update","Client.UpdateRoots","Client.decodeRoot","Client.decodeTargets","Client.decodeTimestamp","Client.downloadMetaFromSnapshot","Client.downloadMetaFromTimestamp"],"path":"github.com/theupdateframework/go-tuf/client"},{"symbols":["TimestampFileMetaEqual"],"path":"github.com/theupdateframework/go-tuf/util"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0444.json"}}],"schema_version":"1.7.3"}