SB2024021640 - Input validation error in The Update Framework (TUF)

Description

This security bulletin contains information about 1 vulnerability.

1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause incorrect delegation verification results.

The vulnerability exists due to improper input validation in Targets.get_delegated_role() when processing a delegated_role argument for succinct delegations. A remote user can supply the name of unrelated metadata to cause incorrect delegation verification results.

Only direct users of tuf.api.metadata are impacted; tuf.ngclient users are not affected. Exploitation requires that succinct delegations are used and that the unrelated metadata is correctly signed by the keys defined in the succinct delegation.

Remediation

Install update from vendor's website.

References

• https://github.com/theupdateframework/python-tuf/security/advisories/GHSA-77hh-43cm-v8j6
• https://github.com/theupdateframework/python-tuf/commit/77cb66bc879d108c449ba4c46dfb0e3a9e57a785