CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
9.1%
A flaw was found in the tpm2-tools package. This issue occurs due to a missing check whether the magic number in attest is equal to TPM2_GENERATED_VALUE, which can allow an attacker to generate arbitrary quote data that may not be detected by tpm2_checkquote (CVE-2024-29038). The pcr selection which is passed with the --pcr parameter is not compared with the attest. So it is possible to fake a valid attestation (CVE-2024-29039). A vulnerability classified as problematic was found in tpm2-tools. This vulnerability affects an unknown code of the file tools/misc/tpm2_checkquote.c of the component pcr Selection Value Handler. The manipulation with an unknown input leads to a comparison vulnerability. The product compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 9 | noarch | tpm2-tools | < 5.5.1-1 | tpm2-tools-5.5.1-1.mga9 |