QwikSec

Security Database

CVE

CWE

Training

CVE-2020-15163

Published: Sep 9, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

8.7

HIGH

Description

Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.

Vendor	Product	Versions
theupdateframework	tuf	affected `< 0.12`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/theupdateframework/tuf/security/advisories/GHSA-f8mr-jv2c-v8mg

x_refsource_CONFIRM

https://github.com/theupdateframework/tuf/pull/885

x_refsource_MISC

https://github.com/theupdateframework/tuf/releases/tag/v0.12.0

x_refsource_MISC

https://pypi.org/project/tuf

x_refsource_MISC

https://github.com/theupdateframework/tuf/commit/3d342e648fbacdf43a13d7ba8886aaaf07334af7

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.