cvelist/2022/0xxx/CVE-2022-0317.json

{
  "CVE_data_meta": {
      "ASSIGNER": "security@google.com",
      "DATE_PUBLIC": "2022-01-25T13:36:00.000Z",
      "ID": "CVE-2022-0317",
      "STATE": "PUBLIC",
      "TITLE": "Improper Input Validation in AKPublic.Verify in go-attestation"
  },
  "affects": {
      "vendor": {
          "vendor_data": [
              {
                  "product": {
                      "product_data": [
                          {
                              "product_name": "go-attestation",
                              "version": {
                                  "version_data": [
                                      {
                                          "version_affected": "<",
                                          "version_value": "0.4.0"
                                      }
                                  ]
                              }
                          }
                      ]
                  },
                  "vendor_name": "Google LLC"
              }
          ]
      }
  },
  "credit": [
      {
          "lang": "eng",
          "value": "Nikki VonHollen"
      }
  ],
  "data_format": "MITRE",
  "data_type": "CVE",
  "data_version": "4.0",
  "description": {
      "description_data": [
          {
              "lang": "eng",
              "value": "An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above."
          }
      ]
  },
  "generator": {
      "engine": "Vulnogram 0.0.9"
  },
  "impact": {
      "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
      }
  },
  "problemtype": {
      "problemtype_data": [
          {
              "description": [
                  {
                      "lang": "eng",
                      "value": "CWE-20 Improper Input Validation"
                  }
              ]
          }
      ]
  },
  "references": {
      "reference_data": [
          {
              "refsource": "CONFIRM",
              "url": "https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p"
          }
      ]
  },
  "source": {
      "discovery": "INTERNAL"
  }
}
"-Synchronized-Data." 2022-01-20 11:01:12 +00:00			`{`
CVE-2022-0317 - Input validation in Go-Attestation 2022-02-04 12:36:01 +01:00			`"CVE_data_meta": {`
			`"ASSIGNER": "security@google.com",`
			`"DATE_PUBLIC": "2022-01-25T13:36:00.000Z",`
			`"ID": "CVE-2022-0317",`
			`"STATE": "PUBLIC",`
			`"TITLE": "Improper Input Validation in AKPublic.Verify in go-attestation"`
			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "go-attestation",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "<",`
			`"version_value": "0.4.0"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "Google LLC"`
			`}`
			`]`
			`}`
			`},`
			`"credit": [`
			`{`
			`"lang": "eng",`
			`"value": "Nikki VonHollen"`
			`}`
			`],`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
			"value": "An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above."
			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.0.9"`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "LOCAL",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 4,`
			`"baseSeverity": "MEDIUM",`
			`"confidentialityImpact": "NONE",`
			`"integrityImpact": "LOW",`
			`"privilegesRequired": "NONE",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-20 Improper Input Validation"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p"`
			`}`
			`]`
			`},`
			`"source": {`
			`"discovery": "INTERNAL"`
			`}`
			`}`