Product
The tough library before version 0.22.0 and tuftool before version 0.15.0 do not properly verify delegated target metadata, allowing an attacker with write access to serve expired or otherwise invalid targets from a TUF repository, potentially leading to the library trusting invalid targets.