tough-kms (=0.2.0), tough-ssm (=0.5.0) +1 more potentially affected by CVE-2021-41149 +5 more via tough (=0.10.0)
Details
CVSS v3
8.2
CVSS v2
3.5
NVD published
2021-10-19 20:15:08
EPSS
0.5% probability · 66.9th percentile — 2026-04-05
Affected versions
cpe:2.3:a:amazon:tough:*:*:*:*:*:rust:*:*
Summary
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system. A fix is available in version 0.12.0. No workarounds to this issue are known.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.