github.com/endophage/gotuf and github.com/theupdateframework/notary do not check if the root.json files are expired before using them. If attackers have compromised a key and a new root.json file is uploaded, they will be able to use the old root.json file to produce updates. This is due to the checkRoot
function not actually checking the expiration status of the root.json files.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/theupdateframework/notary | eq | HEAD | |
github.com/endophage/gotuf | eq | HEAD |