CVE-2024-29039

tpm2 is the source repository for the Trusted Platform Module (TPM2.0) tools. This vulnerability allows attackers to manipulate tpm2checkquote outputs by altering the TPMLPCR_SELECTION in the PCR input file. As a result, digest values are incorrectly mapped to PCR slots and banks, providing a misleading picture of the TPM state. This issue has been patched in version 5.7.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-807"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29039.json"
}

References

Affected packages

Git / github.com/tpm2-software/tpm2-tools

Affected ranges

Type: GIT
Repo: https://github.com/tpm2-software/tpm2-tools
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c6e182cf690ca0022b77fe7d3c174659917a7e7e

Affected versions

2.*

2.0.0

2.0.0-beta_0

3.*

3.0

3.0-rc0

3.0-rc1

3.0-rc2

3.0.1

3.0.2

4.*

4.0

4.0-rc0

4.0-rc1

4.0-rc2

4.1

4.1-rc0

4.1-rc1

4.1.1

4.1.1-RC0

4.1.1-RC1

4.1.2

4.1.2-rc0

4.1.3

4.1.3-rc0

4.2

4.2-RC0

4.2-rc1

4.2.1

4.2.1-rc0

4.2.1-rc1

4.3.0

4.3.0-rc0

4.3.0-rc1

5.*

5.0

5.0-rc0

5.1

5.1-rc0

5.1-rc1

5.1.1

5.1.1-rc0

5.2

5.2-rc0

5.3

5.3-rc0

5.3-rc1

5.4

5.4-rc0

5.5

5.5-rc0

5.5-rc1

5.6

5.6-rc0

5.7-rc0

5.7-rc1

Other

ajay-kish-pub

v1.*

v1.0.0

v1.0.1

v1.1-beta_0

v1.1-beta_1

v1.1.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-29039.json"