CVE-2026-23992

{"id": "CVE-2026-23992", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-23992", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T15:21:00.989880Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "theupdateframework", "product": "go-tuf", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.3.1"}]}]}], "published": "2026-01-22T03:15:47.470", "references": [{"url": "https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1."}, {"lang": "es", "value": "go-tuf es una implementaci\u00f3n en Go de The Update Framework (TUF). A partir de la versi\u00f3n 2.0.0 y antes de la versi\u00f3n 2.3.1, un repositorio TUF comprometido o mal configurado puede tener el valor configurado de los umbrales de firma establecido en 0, lo que deshabilita efectivamente la verificaci\u00f3n de firmas. Esto puede llevar a que sea posible la modificaci\u00f3n no autorizada de los archivos de metadatos de TUF en reposo o en tr\u00e1nsito, ya que no se realizan comprobaciones de integridad. La versi\u00f3n 2.3.1 corrige el problema. Como soluci\u00f3n alternativa, aseg\u00farese siempre de que los roles de metadatos de TUF est\u00e9n configurados con un umbral de al menos 1."}], "lastModified": "2026-06-17T10:22:26.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:theupdateframework:go-tuf:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6442E623-C25E-418E-A418-324F815885AF", "versionEndExcluding": "2.3.1", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}