Lucene search
PRIOn knowledge basePRION:CVE-2022-0317HistoryFeb 04, 2022 - 11:15 p.m.
Input validation
2022-02-0423:15:00
PRIOn knowledge base
www.prio-n.com
1
An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above.
| CPE | Name | Operator | Version |
|---|---|---|---|
| go-attestation | lt | 0.3.3 |
Related
nvd
nvd
CVE-2022-0317
2022-02-04 23:15:12
github
github
Go-Attestation Improper Input Validation with attacker-controlled TPM Quote
2022-02-01 00:43:17
osv
osv
Improper input validation in github.com/google/go-attestation
2022-07-15 23:27:21
Go-Attestation Improper Input Validation with attacker-controlled TPM Quote
2022-02-01 00:43:17
cve
cve
CVE-2022-0317
2022-02-04 23:15:12
cvelist
cvelist
CVE-2022-0317 Improper Input Validation in AKPublic.Verify in go-attestation
2022-01-25 00:00:00
veracode
veracode
Insecure Remote Attestation
2022-02-03 08:32:32