First published: Wed Sep 09 2020(Updated: )
Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linuxfoundation The Update Framework | <0.12.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-15163.
The severity of CVE-2020-15163 is high with a CVSS score of 8.2.
Python TUF (The Update Framework) is a secure software updater framework for Python.
Python TUF reference implementation before version 0.12.0 is affected by CVE-2020-15163.
To fix CVE-2020-15163, update to Python TUF version 0.12.0 or later.