GHSA-3wxm-m9m4-cprj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3wxm-m9m4-cprj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-3wxm-m9m4-cprj/GHSA-3wxm-m9m4-cprj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-3wxm-m9m4-cprj
- Aliases
- Published
- 2021-05-21T16:24:44Z
- Modified
- 2024-08-21T14:57:43.047997Z
- Summary
- Import of incorrectly embargoed keys could cause early publication
- Details
-
Impact
If your installation is using the
export-importerservice, there is potential impact. If your installation is not importing keys via theexport-importerservices, your installation is not impacted.In versions
0.19.1and earlier, theexport-importerservice assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys.This could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs.
Patches
This is patched in
v0.18.3and all versions0.19.2and later.Workarounds
Ensure that the servers you are importing export zip files from are not publishing keys too early.
References
n/a
For more information
If you have any questions or comments about this advisory * Open an issue in exposure-notifications-server * Email us at exposure-notifications-feedback@google.com
- Database specific
{ "nvd_published_at": null, "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-05-20T20:24:22Z" }- References
Affected packages
Go / github.com/google/exposure-notifications-server
Package
- Name
- github.com/google/exposure-notifications-server
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/google/exposure-notifications-server
Go / github.com/google/exposure-notifications-server
Package
- Name
- github.com/google/exposure-notifications-server
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/google/exposure-notifications-server