GHSA-f8mr-jv2c-v8mg · Severity: medium · Ecosystem: pip — Invalid root may become trusted root in The Update Framework (TUF)
Python TUF (The Update Framework) reference implementation before version 0.12 it will incorrectly trust a previously downloaded root metadata file which failed verification at download time. This allows an attacker who is able to serve multiple new versions of root metadata (i.e. by a person-in-the-middle attack) culminating in a version which has not been correctly signed to control the trust chain for future updates. This is fixed in version 0.12 and newer.
Conclusion & alert: CVE-2020-15163 is rated Moderate Risk (49.8/100): CVSS High severity, with low exploitation likelihood (EPSS 0.55%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.14% | 0.55% | +0.41% |
| 2 | 2025-03-30 | 0.18% | 0.14% | -0.04% |
| 3 | 2025-03-29 | — | 0.18% | — |
Full EPSS history (10 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.7 | 3.1 | HIGH |
|
2.3 | 5.8 | [email protected] |
| 8.2 | 3.1 | HIGH |
|
1.8 | 5.8 | [email protected] |
| 4.9 | 2.0 | MEDIUM |
|
6.8 | 4.9 | [email protected] |
GHSA-f8mr-jv2c-v8mg · Severity: medium · Ecosystem: pip — Invalid root may become trusted root in The Update Framework (TUF)
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2020-15163 unimportant priority: Debian including 1 source packages (python-tuf), 3 status rows across 3 suites (forky, sid, trixie): resolved 3. | https://security-tracker.debian.org/tracker/CVE-2020-15163 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linuxfoundation | the_update_framework | < 0.12.0 | cpe:2.3:a:linuxfoundation:the_update_framework:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/theupdateframework/tuf/commit/3d342e648fbacdf43a13d7ba8886aaaf07334af7 | Broken Link |
| https://github.com/theupdateframework/tuf/pull/885 | Patch Third Party Advisory |
| https://github.com/theupdateframework/tuf/releases/tag/v0.12.0 | Third Party Advisory |
| https://github.com/theupdateframework/tuf/security/advisories/GHSA-f8mr-jv2c-v8mg | Third Party Advisory |
| https://pypi.org/project/tuf | Product Vendor Advisory |