Описание
Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.
Ссылки
- Broken Link
- PatchThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- ProductVendor Advisory
- Broken Link
- PatchThird Party Advisory
- Third Party Advisory
- Third Party Advisory
- ProductVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.12.0 (исключая)
cpe:2.3:a:linuxfoundation:the_update_framework:*:*:*:*:*:*:*:*
EPSS
Процентиль: 35%
0.00144
Низкий
8.7 High
CVSS3
8.2 High
CVSS3
4.9 Medium
CVSS2
Дефекты
CWE-863
CWE-345
Связанные уязвимости
CVSS3: 8.7
debian
больше 5 лет назад
Python TUF (The Update Framework) reference implementation before vers ...
CVSS3: 8.7
github
больше 5 лет назад
Invalid root may become trusted root in The Update Framework (TUF)
EPSS
Процентиль: 35%
0.00144
Низкий
8.7 High
CVSS3
8.2 High
CVSS3
4.9 Medium
CVSS2
Дефекты
CWE-863
CWE-345