GHSA-j8x2-777p-23fc: 
Rust vulnerability analysis and mitigation

The vulnerability (GHSA-j8x2-777p-23fc) affects the tough Rust client library for TUF (The Update Framework) repositories in versions prior to 0.20.0. The issue involves the library's failure to detect cyclical role delegations in TUF repositories, where the targets role can delegate trust to other roles for signing target file metadata (GitHub Advisory, AWS Security Bulletin).

In TUF repositories, the targets role's signature indicates which target files are trusted by clients, with the ability to delegate full or partial trust to other roles for signing target file metadata. When searching for metadata about a given target, tough failed to detect cyclical role delegations in the delegation graph. The vulnerability has been assigned a CVSS score of 2.7 (Low) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N (GitHub Advisory).

When interacting with TUF repositories containing cyclical role delegations, the vulnerability causes tough to exhaust its stack while recursively searching the delegation graph. This stack exhaustion results in process abortion, potentially affecting the availability of systems using the library (GitHub Advisory).

A fix for this issue is available in tough version 0.20.0 and later. Users are advised to upgrade to version 0.20.0 or later and ensure any forked or derivative code is patched to incorporate the new fixes. There are no recommended workarounds, and customers should proceed with the upgrade to the patched version (GitHub Advisory, AWS Security Bulletin).

The vulnerability was identified by the TUF-Conformance project, with Google collaborating on the issue through the coordinated vulnerability disclosure process (GitHub Advisory).