Tuftool

An improper verification of cryptographic signature uniqueness vulnerability in awslabs/tough before v0.22.0 allows remote authenticated users to bypass TUF signature threshold requirements by duplicating a valid signature, leading to the acceptance of forged delegated role metadata.

The tough library before version 0.22.0 and tuftool before version 0.15.0 do not properly verify delegated target metadata, allowing an attacker with write access to serve expired or otherwise invalid targets from a TUF repository, potentially leading to the library trusting invalid targets.