tough-kms (=0.2.0), tough-ssm (=0.5.0) +1 more potentially affected by CVE-2021-41149 +5 more via tough (=0.10.0)
Details
CVSS v3
8.2
CVSS v2
8.5
NVD published
2021-10-19 18:15:08
EPSS
0.9% probability · 74.9th percentile — 2026-04-05
Affected versions
cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*
Summary
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.