Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.
CPE | Name | Operator | Version |
---|---|---|---|
python-tuf | eq | 0.9.9 | |
python-tuf | eq | 0.10.1 | |
python-tuf | eq | 0.10.0 | |
python-tuf | eq | 0.11.2.dev1 | |
python-tuf | eq | 0.11.1 | |
python-tuf | eq | 0.7.5 | |
python-tuf | eq | 0.9.8 | |
python-tuf | eq | 0.11.2.dev3 | |
python-tuf | eq | 0.11.0 | |
python-tuf | eq | 0.10.2 |