Florianveaux

**Name of the Vulnerable Software and Affected Versions** Python TUF (The Update Framework) versions prior to 0.12 **Description** The issue allows an attacker, who can serve multiple new versions of root metadata through a man-in-the-middle attack, to control the trust chain for future updates by culminating in a version that has not been correctly signed. This occurs because the implementation will incorrectly trust a previously downloaded root metadata file which failed verification at download time. **Recommendations** For versions prior to 0.12, update to version 0.12 or newer to resolve the issue. As a temporary workaround, consider restricting the use of the root metadata file until a patch is applied.