CVE-2020-15163

Name of the Vulnerable Software and Affected Versions Python TUF (The Update Framework) versions prior to 0.12

Description The issue allows an attacker, who can serve multiple new versions of root metadata through a man-in-the-middle attack, to control the trust chain for future updates by culminating in a version that has not been correctly signed. This occurs because the implementation will incorrectly trust a previously downloaded root metadata file which failed verification at download time.

Recommendations For versions prior to 0.12, update to version 0.12 or newer to resolve the issue. As a temporary workaround, consider restricting the use of the root metadata file until a patch is applied.