Insufficient verification of data authenticity in The Update Framework (TUF) - CVE-2020-15163
Published: September 9, 2020 / Updated: May 18, 2026
Vulnerability identifier: #VU131742
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-15163
CWE-ID: CWE-345
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Update Framework
Affected software:
The Update Framework (TUF)
The Update Framework (TUF)
Detailed vulnerability description
The vulnerability allows a remote attacker to control the trust chain for future updates.
The vulnerability exists due to improper verification of root metadata in the root metadata update workflow when processing multiple new versions of root metadata. A remote attacker can serve crafted root metadata through a man-in-the-middle position to control the trust chain for future updates.
The issue occurs because a previously downloaded root metadata file that failed verification at download time may later become trusted.
How to mitigate CVE-2020-15163
Install security update from vendor's website.