tuf

PyPI4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting tufpage 1 of 1

CVE-2020-15163HIGHCVSS 8.7EG 8.7✓ Fixed in 0.12.0
2020-09-09
vulnerable: 0.7.5 ... 0.12.dev2 (15 versions)
Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve mu…
CVE-2020-6173MEDIUMCVSS 5.3EG 5.3✓ Fixed in 0.12.2
2020-01-14
vulnerable: 0.7.5 ... 0.12.1 (17 versions)
TUF (aka The Update Framework) 0.7.2 through 0.12.1 allows Uncontrolled Resource Consumption.
CVE-2020-6174CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.12.2
2020-02-05
vulnerable: 0.7.5 ... 0.12.1 (17 versions)
TUF (aka The Update Framework) through 0.12.1 has Improper Verification of a Cryptographic Signature.
CVE-2021-41131HIGHCVSS 7.5EG 7.5✓ Fixed in 0.19.0
2021-10-19
vulnerable: 0.10.0 ... 0.9.9 (25 versions)
python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients (`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can overwrite files ending in `.json` anywhere…

Check whether tuf is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for tuf CVEs against the assets you own.

Start Free Scan →