CVE-2021-41131

Name of the Vulnerable Software and Affected Versions python-tuf versions prior to 0.19

Description The issue is a path traversal vulnerability that can overwrite files ending in .json anywhere on the client system when calling get one valid targetinfo(). This occurs because the rolename is used to form the filename and may contain path traversal characters, such as ../../name.json. The impact is mitigated by the fact that it only affects implementations allowing arbitrary rolename selection for delegated targets metadata, requires the ability to insert new metadata and get the role delegated, and the written file content must be a valid, signed targets file with a .json extension.

Recommendations For versions prior to 0.19, update to version 0.19 or newer to resolve the issue. As a temporary workaround, consider restricting the allowed character set for rolenames or storing metadata in files named in a way that is not vulnerable, although these approaches require modifying python-tuf.