GO-2021-0095

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2021-0095

Import Source

https://vuln.go.dev/ID/GO-2021-0095.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2021-0095

Aliases

Published

2021-04-14T20:04:52Z

Modified

2024-05-20T16:03:47Z

Summary

Sensitive information exposure in github.com/google/go-tpm

Details

Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted, allowing them to use the created key.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2021-0095"
}

References

Credits

- Chris Fenner

Affected packages

Go / github.com/google/go-tpm

Package

Name: github.com/google/go-tpm; View open source insights on deps.dev
Purl: pkg:golang/github.com/google/go-tpm

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.0

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "CreateWrapKey"
            ],
            "path": "github.com/google/go-tpm/tpm"
        }
    ]
}