logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-15163 tuf

Package

Manager: pip
Name: tuf
Vulnerable Version: >=0 <0.12.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00144 pctl0.35246

Details

Invalid root may become trusted root in The Update Framework (TUF) ### Impact The Python TUF reference implementation `tuf<0.12` will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a man-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. While investigating the reported vulnerability, we discovered that the detailed client workflow was not fully implemented. Specifically, for step 1.3 the newly downloaded root metadata was not being verified with a threshold of keys specified in the new root metadata file. This missing step of the client workflow has been implemented in [PR #1101](https://github.com/theupdateframework/tuf/pull/1101), which is included in [v0.14.0](https://github.com/theupdateframework/tuf/releases/tag/v0.14.0) of tuf. ### Patches A [fix](https://github.com/theupdateframework/tuf/pull/885), is available in version [0.12](https://github.com/theupdateframework/tuf/releases/tag/v0.12.0) and newer. ### Workarounds No workarounds are known for this issue. ### References * Pull request resolving the invalid root becoming trusted issue [PR 885](https://github.com/theupdateframework/tuf/pull/885) * Pull request implementing self verification of newly downloaded root metadata [PR 1101](https://github.com/theupdateframework/tuf/pull/1101)

Metadata

Created: 2020-09-09T17:29:27Z
Modified: 2024-11-18T22:41:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-f8mr-jv2c-v8mg/GHSA-f8mr-jv2c-v8mg.json
CWE IDs: ["CWE-345", "CWE-863"]
Alternative ID: GHSA-f8mr-jv2c-v8mg
Finding: F204
Auto approve: 1