Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| tuf(PyPI) | 0 | 0.12.0 | N/A |
CVSS Metrics
