CVE-2021-41131: 
Python vulnerability analysis and mitigation

A path traversal vulnerability was discovered in python-tuf (The Update Framework) versions 0.18.1 and earlier. The vulnerability exists in both client implementations (tuf/client and tuf/ngclient) where rolename validation is insufficient when handling delegated targets metadata (GitHub Advisory).

The vulnerability occurs because rolenames are used to form filenames without proper validation, allowing path traversal characters (e.g., ../../name.json) in delegated targets metadata. When get_one_valid_targetinfo() is called, this can lead to files being written outside the intended metadata store directory. The vulnerability requires the ability to both insert new metadata for the path-traversing role and get the role delegated by existing targets metadata (GitHub Advisory).

The vulnerability could allow an attacker to overwrite files ending in .json anywhere on the client system. However, the impact is somewhat limited since the written file content must be a valid, signed targets file and the file extension is always restricted to .json (GitHub Advisory).

The vulnerability has been fixed in version 0.19 and newer releases of python-tuf. There are no workarounds available that don't require code changes. While clients could theoretically restrict the allowed character set for rolenames or modify how metadata is stored in files, these approaches require modifying the python-tuf codebase (GitHub Advisory).