GHSA-99cg-575x-774p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-99cg-575x-774p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-99cg-575x-774p/GHSA-99cg-575x-774p.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-99cg-575x-774p
- Aliases
-
- CVE-2022-0317
- GO-2022-0294
- Published
- 2022-02-01T00:43:17Z
- Modified
- 2023-11-01T04:57:04.603218Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Go-Attestation Improper Input Validation with attacker-controlled TPM Quote
- Details
-
Impact
An improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing
AKPublic.Verifyto succeed despite the inconsistency. Subsequent use of the same set of PCR values inEventlog.Verifylacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log inEventlog.Verifyto spoof events in the TCG log, hence defeating remotely-attested measured-boot.Patches
This issue is resolved in version 0.4.0. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method
AKPublic.VerifyAll()instead ofAKPublic.Verify. - Database specific
{ "nvd_published_at": "2022-02-04T23:15:00Z", "cwe_ids": [ "CWE-20" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-01-31T22:15:30Z" }- References
Affected packages
Go / github.com/google/go-attestation
Package
- Name
- github.com/google/go-attestation
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/google/go-attestation