CVE-2020-15163

HIGH8.7EPSS 0.14%

Invalid root may become trusted root in The Update Framework (TUF)

Published: 9/9/2020Modified: 3/13/2026

Description

### Impact The Python TUF reference implementation `tuf<0.12` will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a man-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. While investigating the reported vulnerability, we discovered that the detailed client workflow was not fully implemented. Specifically, for step 1.3 the newly downloaded root metadata was not being verified with a threshold of keys specified in the new root metadata file. This missing step of the client workflow has been implemented in [PR #1101](https://github.com/theupdateframework/tuf/pull/1101), which is included in [v0.14.0](https://github.com/theupdateframework/tuf/releases/tag/v0.14.0) of tuf. ### Patches A [fix](https://github.com/theupdateframework/tuf/pull/885), is available in version [0.12](https://github.com/theupdateframework/tuf/releases/tag/v0.12.0) and newer. ### Workarounds No workarounds are known for this issue. ### References * Pull request resolving the invalid root becoming trusted issue [PR 885](https://github.com/theupdateframework/tuf/pull/885) * Pull request implementing self verification of newly downloaded root metadata [PR 1101](https://github.com/theupdateframework/tuf/pull/1101)

Affected packages (2)

  • PyPI/tuffrom 0, < 0.12.0
  • PyPI/tuffrom 0, < 3d342e648fbacdf43a13d7ba8886aaaf07334af7 | from 0, < 0.12.0

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
osvCVSS 3.1HIGH8.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References (8)