Client Denial of Service on TUF
Moderate severity
GitHub Reviewed
Published
Aug 20, 2020
in
theupdateframework/python-tuf
•
Updated Nov 18, 2024
Description
Reviewed
Aug 21, 2020
Published to the GitHub Advisory Database
Aug 21, 2020
Last updated
Nov 18, 2024
Impact
An attacker who can gain file access to the repository and modify metadata files may cause a denial of service to clients by creating many invalid signatures on a metadata file. Having a large number of signatures to verify will delay the moment when the client will determine the signature is not valid. This delay may be for at least a few minutes, but possibly could be longer especially if multiple files are impacted.
The tuf maintainers would like to thank Erik MacLean of Analog Devices, Inc. for reporting this issue.
Patches
No fix exists for this issue.
Workarounds
No workarounds are known for this issue.
References
References