Lucene search
+L

21 matches found

OSV
OSV
added 2026/06/25 6:43 p.m.9 views

GO-2026-5298 Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList() in github.com/google/go-attestation

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList in github.com/google/go-attestation...

8.9CVSS5.8AI score0.00191EPSS
Exploits0References4
NVD
NVD
added 2026/06/24 2:16 a.m.12 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS0.00191EPSS
Exploits0References3
OSV
OSV
added 2026/06/24 2:16 a.m.4 views

UBUNTU-CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/24 12:49 a.m.18 views

EUVD-2026-38641

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/24 12:49 a.m.10 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 12:49 a.m.27 views

CVE-2026-12681

Summary: CVE-2026-12681 affects Google go-attestation prior to 0.6.1. The issue arises in parseEfiSignatureList(): the buffer is not advanced past vendor bytes before reading entries, enabling attacker-controlled vendor header bytes to be appended to the trusted SHA256 hash list. A crafted TPM ev...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/24 12:49 a.m.36 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS0.00191EPSS
Exploits0References3
OSV
OSV
added 2026/06/24 12:49 a.m.5 views

CVE-2026-12681

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList does not advance the buffer past vendor bytes before reading entries. For hashSHA256SigGUID lists, this allows attacker-controlled vendor header bytes to be appended ...

8.9CVSS6.2AI score0.00191EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/06/12 3:4 p.m.13 views

Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

Summary parseEfiSignatureList in attest/internal/events.go does not skip SignatureHeaderSize vendor bytes before reading EFISIGNATURELIST signature entries, violating UEFI specification section 31.4.1. Impact For hashSHA256SigGUID lists, attacker-controlled vendor header bytes are appended direct...

5.5AI score
Exploits0References5Affected Software1
OSV
OSV
added 2026/06/12 3:4 p.m.9 views

GHSA-9R4W-JG96-92MV Go-Attestation: Hash injection into trusted measurement list via unskipped SignatureHeaderSize vendor bytes in parseEfiSignatureList()

Summary parseEfiSignatureList in attest/internal/events.go does not skip SignatureHeaderSize vendor bytes before reading EFISIGNATURELIST signature entries, violating UEFI specification section 31.4.1. Impact For hashSHA256SigGUID lists, attacker-controlled vendor header bytes are appended direct...

6.8CVSS5.6AI score0.00191EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-0934

Malicious code in bioql PyPI...

4CVSS4.7AI score0.00096EPSS
Exploits0References5
NVD
NVD
added 2022/02/04 11:15 p.m.39 views

CVE-2022-0317

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the...

4CVSS0.00096EPSS
Exploits0References1
Prion
Prion
added 2022/02/04 11:15 p.m.20 views

Input validation

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the...

2.1CVSS3.9AI score0.00096EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2022/02/04 10:33 p.m.79 views

CVE-2022-0317

The CVE-2022-0317 issue affects go-attestation prior to 0.4.0. A local attacker can craft a malicious Quote with no/some PCRs that makes AKPublic.Verify succeed, then reuse the same PCR set in Eventlog.Verify to spoof TCG log events and defeat remotely-attested measured-boot. Public advisories (G...

4CVSS3.6AI score0.00096EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2022/02/04 10:33 p.m.37 views

CVE-2022-0317 Improper Input Validation in AKPublic.Verify in go-attestation

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the...

4CVSS4.5AI score0.00096EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2022/02/04 10:33 p.m.12 views

CVE-2022-0317 Improper Input Validation in AKPublic.Verify in go-attestation

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the...

4CVSS4.1AI score0.00096EPSS
Exploits0References1
OSV
OSV
added 2022/02/04 10:33 p.m.8 views

CVE-2022-0317 Improper Input Validation in AKPublic.Verify in go-attestation

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the...

4CVSS6AI score0.00096EPSS
Exploits0References3
CNNVD
CNNVD
added 2022/02/04 12:0 a.m.5 views

go-attestation 输入验证错误漏洞

Go-Attestation is used to abstract remote authentication operations across a variety of platforms and tpm's, thus enabling remote verification of computer identifiers and state. A security vulnerability existed prior to go-attestation 0.3.3 that allowed a local user to provide a maliciously...

4CVSS5.1AI score0.00096EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2022/02/01 12:43 a.m.34 views

Go-Attestation Improper Input Validation with attacker-controlled TPM Quote

Impact An improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the...

4CVSS4.4AI score0.00096EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2022/02/01 12:43 a.m.27 views

GHSA-99CG-575X-774P Go-Attestation Improper Input Validation with attacker-controlled TPM Quote

Impact An improper input validation vulnerability in go-attestation before 0.4.0 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the...

4CVSS3.7AI score0.00096EPSS
Exploits0References5
Rows per page
Query Builder