github.com/endophage/gotuf and github.com/theupdateframework/notary do not check if the signature algorithm matches the key. Using this, attackers could forge a signature using a lesser cryptographically sound algorithm to recover private keys.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/theupdateframework/notary | eq | HEAD | |
github.com/endophage/gotuf | eq | HEAD |