GHSA-77hh-43cm-v8j6: 
Python vulnerability analysis and mitigation

A security vulnerability was identified in the TUF (The Update Framework) Python implementation affecting versions 2.0.0 to 3.1.1, specifically in the Metadata API's Targets.get_delegated_role() function. The vulnerability stems from missing input validation in the case of 'succinct delegation', where the function fails to verify if the given delegated_rolename is actually delegated by the Targets (GitHub Advisory).

The vulnerability exists in the tuf.api.metadata.Targets.get_delegated_role() function, which is responsible for finding delegation information during the verification process of Metadata objects. When using succinct delegation, the function fails to properly validate whether the provided delegated_role argument is actually delegated by the Targets. This oversight affects the verification process used by Targets.verify_delegate() and Targets.get_verification_result() functions (GitHub Advisory).

The vulnerability's impact is considered low due to several factors. While it could result in incorrect verification results when using succinct delegation, it cannot affect TUF clients implementing the standard client workflow since the delegated role name is derived from trusted delegating Targets. Additionally, the actual signature verification process remains intact, requiring metadata to be correctly signed by the keys specified in the delegating role (GitHub Advisory).

A patch has been released in python-tuf version 3.1.1. Users can update to this version to address the vulnerability. For those unable to update immediately, a workaround exists: tuf.api.metadata users should only call Targets.get_delegated_role(), Targets.verify_delegate(), or Targets.get_verification_result() with delegated_role arguments that are known to be delegated by the Targets in question (TUF Release, GitHub Advisory).