Vulnerability Details : CVE-2022-0317
An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above.
Vulnerability category: Input validation
Products affected by CVE-2022-0317
- cpe:2.3:a:google:go-attestation:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-0317
0.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 2 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-0317
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:N/I:P/A:N |
3.9
|
2.9
|
NIST | |
|
4.0
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
2.5
|
1.4
|
Google Inc. | |
|
3.3
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
1.8
|
1.4
|
NIST |
CWE ids for CVE-2022-0317
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by:
- cve-coordination@google.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-0317
-
https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p
Improper Input Validation in AKPublic.Verify with attacker-controlled TPM Quote · Advisory · google/go-attestation · GitHubThird Party Advisory
Jump to