-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
PythonPythonMiggo AIRoot Cause AnalysisThe vulnerability description explicitly names tuf.api.metadata.Targets.get_delegated_role() as the primary function with missing input validation. The provided patches (both 77cb66bc and eb4834d9 show the same change) directly modify this function in tuf/api/metadata.py. The diff shows that a conditional check if succinct.is_delegated_role(delegated_role): was added. Before this change, if self.delegations.roles was None (indicating the use of succinct delegations, as self.delegations.succinct_roles would be used instead), the code would assign self.delegations.succinct_roles to role without verifying if the delegated_role string was actually a role defined within the succinct_roles object. This lack of validation is the core of the vulnerability. The description also mentions Targets.verify_delegate() and Targets.get_verification_result() as being impacted, likely because they use get_delegated_role() internally. However, the patch only directly modifies get_delegated_role(), so it's the most direct vulnerable function identifiable from the patch evidence.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tuf | pip | >= 2.0.0, < 3.1.1 | 3.1.1 |
tuf.api.metadata in this way.All users of tuf.ngclient are specifically not impacted. Users of tuf.api.metadata could be impacted if they use succinct delegations in a way described above.
A fix is available in python-tuf 3.1.1 as commit 77cb66bc and in later releases as commit eb4834d9._
tuf.api.metadata users should only call Targets.get_delegated_role(), Targets.verify_delegate() or Targets.get_verification_result() with delegated_role argument that is known to be delegated by the Targets in question.
KEV Misses 88% of Exploited CVEs- Get the report