CVE-2020-15163: 
Python vulnerability analysis and mitigation

CVE-2020-15163 is a security vulnerability affecting the Python TUF (The Update Framework) reference implementation versions prior to 0.12. The vulnerability was disclosed on September 9, 2020. The issue allows an attacker to make an invalid root metadata file become trusted, potentially compromising the trust chain for future updates (GHSA Advisory).

The vulnerability occurs when the implementation incorrectly trusts a previously downloaded root metadata file that failed verification at download time. Specifically, the implementation was missing a critical verification step in the client workflow where newly downloaded root metadata was not being verified with a threshold of keys specified in the new root metadata file (GHSA Advisory).

An attacker who can perform a man-in-the-middle attack and serve multiple new versions of root metadata could potentially control the trust chain for future updates. This could lead to compromising the entire update verification process, allowing malicious updates to be accepted as legitimate (GHSA Advisory).

The vulnerability has been fixed in TUF version 0.12 and newer. Users should upgrade to at least version 0.12 to receive the security fix. No other workarounds are known for this issue (GHSA Advisory).