GHSA-72c7-4g63-hpw5

Suggest an improvement
Source
https://github.com/advisories/GHSA-72c7-4g63-hpw5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-72c7-4g63-hpw5/GHSA-72c7-4g63-hpw5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-72c7-4g63-hpw5
Aliases
Published
2025-10-15T20:12:56Z
Modified
2025-11-05T19:58:47.693352Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents
Details

Impact

This vulnerability only affects users of the AWS attestor.

Users of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]

There are multiple locations where the verification of the identity document will mistakenly report a successful verification.

  • If a signature is not present or is empty https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163

  • If the RSA verification of the document fails for any reason https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L192-L196

Workarounds

The contents of the AWS attestation contain the identity document, signature, and public key that was used to verify the document. These attestations and their could be identity documents could be manually verified with the openssl command line as documented in the below reference from AWS.[^2]

However, the certificate containing the public key was hard-coded into the attestor. https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L46-L66

Since the original authoring of the attestor, AWS has moved to region specific public certificates. The currently valid certificates were issued around April of 2024, making the identification of attestations with forged content difficult without additional trusted data proving the AWS region in which the attestation was created.

Patches

This vulnerability is addressed in go-witness 0.9.1 and witness 0.10.1.

Resources

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": "2025-10-15T20:15:36Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-295"
    ],
    "github_reviewed_at": "2025-10-15T20:12:56Z"
}
References

Affected packages

Go / github.com/in-toto/go-witness

Package

Name
github.com/in-toto/go-witness
View open source insights on deps.dev
Purl
pkg:golang/github.com/in-toto/go-witness

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-72c7-4g63-hpw5/GHSA-72c7-4g63-hpw5.json"