Input validation error in The Update Framework (TUF) - #VU131744
Published: February 16, 2024 / Updated: May 18, 2026
Vulnerability identifier: #VU131744
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Update Framework
Affected software:
The Update Framework (TUF)
The Update Framework (TUF)
Detailed vulnerability description
The vulnerability allows a remote user to cause incorrect delegation verification results.
The vulnerability exists due to improper input validation in Targets.get_delegated_role() when processing a delegated_role argument for succinct delegations. A remote user can supply the name of unrelated metadata to cause incorrect delegation verification results.
Only direct users of tuf.api.metadata are impacted; tuf.ngclient users are not affected. Exploitation requires that succinct delegations are used and that the unrelated metadata is correctly signed by the keys defined in the succinct delegation.
Remediation
Install security update from vendor's website.