tuf@0.9.8 vulnerabilities

A secure updater framework for Python

  • latest version

    5.1.0

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    2 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the tuf package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Directory Traversal

    tuf is a secure updater framework for Python.

    Affected versions of this package are vulnerable to Directory Traversal during a call to get_one_valid_targetinfo(), which may lead to an overwrite of files ending in .json. Note: This only affects implementations that allow arbitrary rolename selection for delegated targets metadata.

    How to fix Directory Traversal?

    Upgrade tuf to version 0.19.0 or higher.

    [,0.19.0)
    • M
    Improper Authorization

    tuf is a secure updater framework for Python.

    Affected versions of this package are vulnerable to Improper Authorization. It will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates.

    How to fix Improper Authorization?

    Upgrade tuf to version 0.12 or higher.

    [,0.12)
    • L
    Improper Verification of Cryptographic Signature

    tuf is a secure updater framework for Python.

    Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. The metadadata signature verification as provided by tuf.sig.verify() and used components such as tuf.client.updater counted multiple signatures with identical authorized keyids each separately towards the threshold.

    How to fix Improper Verification of Cryptographic Signature?

    Upgrade tuf to version 0.12.2 or higher.

    [,0.12.2)
    • M
    Denial of Service (DoS)

    tuf is a secure updater framework for Python.

    Affected versions of this package are vulnerable to Denial of Service (DoS). While maximum file size is restricted for downloading, the client may attempt to validate a large number of signatures. The file size limit of target.json is large and may allow up to 5000 signatures, further increasing the amount of time spent in validation.

    How to fix Denial of Service (DoS)?

    Upgrade tuf to version 0.12.2 or higher.

    [0.7.2,0.12.2)