CVE-2025-2888

During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes.

CVSS

No CVSS.

References

Link	Resource
https://aws.amazon.com/security/security-bulletins/AWS-2025-007/
https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4

Configurations

No configuration.

History

27 Mar 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-27 23:15

Updated : 2025-03-28 18:11

NVD link : CVE-2025-2888

Mitre link : CVE-2025-2888

CVE.ORG link : CVE-2025-2888

JSON object : View

Products Affected

No product.

CWE

CWE-1025

Comparison Using Wrong Factors

{"id": "CVE-2025-2888", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-03-27T23:15:35.717", "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-007/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}, {"url": "https://github.com/awslabs/tough/security/advisories/GHSA-76g3-38jv-wxh4", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "description": [{"lang": "en", "value": "CWE-1025"}]}], "descriptions": [{"lang": "en", "value": "During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes."}], "lastModified": "2025-03-28T18:11:40.180", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5"}

CVE-2025-2888

JSON object

Attach tags to CVE-2025-2888

Attach tags to `CVE-2025-2888`