{"id":"PYSEC-2020-145","details":"Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.","aliases":["CVE-2020-15163","GHSA-f8mr-jv2c-v8mg"],"modified":"2023-11-08T04:02:31.799548Z","published":"2020-09-09T18:15:00Z","references":[{"type":"WEB","url":"https://github.com/theupdateframework/tuf/releases/tag/v0.12.0"},{"type":"ADVISORY","url":"https://github.com/theupdateframework/tuf/security/advisories/GHSA-f8mr-jv2c-v8mg"},{"type":"FIX","url":"https://github.com/theupdateframework/tuf/commit/3d342e648fbacdf43a13d7ba8886aaaf07334af7"},{"type":"PACKAGE","url":"https://pypi.org/project/tuf"},{"type":"WEB","url":"https://github.com/theupdateframework/tuf/pull/885"}],"affected":[{"package":{"name":"tuf","ecosystem":"PyPI","purl":"pkg:pypi/tuf"},"ranges":[{"type":"GIT","repo":"https://github.com/theupdateframework/tuf","events":[{"introduced":"0"},{"fixed":"3d342e648fbacdf43a13d7ba8886aaaf07334af7"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.12.0"}]}],"versions":["0.7.5","0.9.8","0.9.9","0.10.0","0.10.1","0.10.2","0.11.dev0","0.11.0","0.11.1","0.11.2.dev1","0.11.2.dev2","0.11.2.dev3","0.12.dev0","0.12.dev1","0.12.dev2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/tuf/PYSEC-2020-145.yaml"}}],"schema_version":"1.7.3"}