CVE-2022-0317 - Input validation in Go-Attestation

2025-08-04 08:44:25 +00:00 · 2022-02-04 12:36:01 +01:00 · 2022-02-04 12:36:01 +01:00 · 666aa5209c
commit 666aa5209c
parent 0ac3fab733
1 changed files with 91 additions and 17 deletions
--- a/2022/0xxx/CVE-2022-0317.json
+++ b/2022/0xxx/CVE-2022-0317.json
@ -1,18 +1,92 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
-    "CVE_data_meta": {
-        "ID": "CVE-2022-0317",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
-    },
-    "description": {
-        "description_data": [
-            {
-                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
-            }
-        ]
-    }
-}
+  "CVE_data_meta": {
+      "ASSIGNER": "security@google.com",
+      "DATE_PUBLIC": "2022-01-25T13:36:00.000Z",
+      "ID": "CVE-2022-0317",
+      "STATE": "PUBLIC",
+      "TITLE": "Improper Input Validation in AKPublic.Verify in go-attestation"
+  },
+  "affects": {
+      "vendor": {
+          "vendor_data": [
+              {
+                  "product": {
+                      "product_data": [
+                          {
+                              "product_name": "go-attestation",
+                              "version": {
+                                  "version_data": [
+                                      {
+                                          "version_affected": "<",
+                                          "version_value": "0.4.0"
+                                      }
+                                  ]
+                              }
+                          }
+                      ]
+                  },
+                  "vendor_name": "Google LLC"
+              }
+          ]
+      }
+  },
+  "credit": [
+      {
+          "lang": "eng",
+          "value": "Nikki VonHollen"
+      }
+  ],
+  "data_format": "MITRE",
+  "data_type": "CVE",
+  "data_version": "4.0",
+  "description": {
+      "description_data": [
+          {
+              "lang": "eng",
+              "value": "An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above."
+          }
+      ]
+  },
+  "generator": {
+      "engine": "Vulnogram 0.0.9"
+  },
+  "impact": {
+      "cvss": {
+          "attackComplexity": "LOW",
+          "attackVector": "LOCAL",
+          "availabilityImpact": "NONE",
+          "baseScore": 4,
+          "baseSeverity": "MEDIUM",
+          "confidentialityImpact": "NONE",
+          "integrityImpact": "LOW",
+          "privilegesRequired": "NONE",
+          "scope": "UNCHANGED",
+          "userInteraction": "NONE",
+          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
+          "version": "3.1"
+      }
+  },
+  "problemtype": {
+      "problemtype_data": [
+          {
+              "description": [
+                  {
+                      "lang": "eng",
+                      "value": "CWE-20 Improper Input Validation"
+                  }
+              ]
+          }
+      ]
+  },
+  "references": {
+      "reference_data": [
+          {
+              "refsource": "CONFIRM",
+              "url": "https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p"
+          }
+      ]
+  },
+  "source": {
+      "discovery": "INTERNAL"
+  }
+}