Safety vulnerability ID: 38769
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Tuf 0.12.0 includes a fix for CVE-2020-15163: Python TUF reference implementation before version 0.12 incorrectly trusts previously downloaded root metadata files which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates.
https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-f8mr-jv2c-v8mg
Latest version: 5.0.0
A secure updater framework for Python
Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.
CONFIRM:https://github.com/theupdateframework/tuf/commit/3d342e648fbacdf43a13d7ba8886aaaf07334af7: https://github.com/theupdateframework/tuf/commit/3d342e648fbacdf43a13d7ba8886aaaf07334af7
CONFIRM:https://github.com/theupdateframework/tuf/security/advisories/GHSA-f8mr-jv2c-v8mg: https://github.com/theupdateframework/tuf/security/advisories/GHSA-f8mr-jv2c-v8mg
MISC:https://github.com/theupdateframework/tuf/pull/885: https://github.com/theupdateframework/tuf/pull/885
MISC:https://github.com/theupdateframework/tuf/releases/tag/v0.12.0: https://github.com/theupdateframework/tuf/releases/tag/v0.12.0
MISC:https://pypi.org/project/tuf: https://pypi.org/project/tuf
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application