tuf 0.11.0 vulnerabilities

Known vulnerabilities in the tuf package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Directory Traversal tuf is a secure updater framework for Python. Affected versions of this package are vulnerable to Directory Traversal during a call to `get_one_valid_targetinfo()`, which may lead to an overwrite of files ending in `.json`. Note: This only affects implementations that allow arbitrary rolename selection for delegated targets metadata. How to fix Directory Traversal? Upgrade `tuf` to version 0.19.0 or higher.	[,0.19.0)
M Improper Authorization tuf is a secure updater framework for Python. Affected versions of this package are vulnerable to Improper Authorization. It will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. How to fix Improper Authorization? Upgrade `tuf` to version 0.12 or higher.	[,0.12)
L Improper Verification of Cryptographic Signature tuf is a secure updater framework for Python. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The metadadata signature verification as provided by `tuf.sig.verify()` and used components such as `tuf.client.updater` counted multiple signatures with identical authorized keyids each separately towards the threshold. How to fix Improper Verification of Cryptographic Signature? Upgrade `tuf` to version 0.12.2 or higher.	[,0.12.2)
M Denial of Service (DoS) tuf is a secure updater framework for Python. Affected versions of this package are vulnerable to Denial of Service (DoS). While maximum file size is restricted for downloading, the client may attempt to validate a large number of signatures. The file size limit of `target.json` is large and may allow up to 5000 signatures, further increasing the amount of time spent in validation. How to fix Denial of Service (DoS)? Upgrade `tuf` to version 0.12.2 or higher.	[0.7.2,0.12.2)

Vulnerability

Vulnerable Version

Directory Traversal

tuf is a secure updater framework for Python.

Affected versions of this package are vulnerable to Directory Traversal during a call to get_one_valid_targetinfo(), which may lead to an overwrite of files ending in .json. Note: This only affects implementations that allow arbitrary rolename selection for delegated targets metadata.

How to fix Directory Traversal?

Upgrade tuf to version 0.19.0 or higher.

[,0.19.0)

Improper Authorization

tuf is a secure updater framework for Python.

Affected versions of this package are vulnerable to Improper Authorization. It will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates.

How to fix Improper Authorization?

Upgrade tuf to version 0.12 or higher.

[,0.12)

Improper Verification of Cryptographic Signature

tuf is a secure updater framework for Python.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The metadadata signature verification as provided by tuf.sig.verify() and used components such as tuf.client.updater counted multiple signatures with identical authorized keyids each separately towards the threshold.

How to fix Improper Verification of Cryptographic Signature?

Upgrade tuf to version 0.12.2 or higher.

[,0.12.2)

Denial of Service (DoS)

tuf is a secure updater framework for Python.

Affected versions of this package are vulnerable to Denial of Service (DoS). While maximum file size is restricted for downloading, the client may attempt to validate a large number of signatures. The file size limit of target.json is large and may allow up to 5000 signatures, further increasing the amount of time spent in validation.

How to fix Denial of Service (DoS)?

Upgrade tuf to version 0.12.2 or higher.

[0.7.2,0.12.2)

tuf@0.11.0 vulnerabilities

A secure updater framework for Python

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?