tpm2-tools versions before 1.1.1 are vulnerable to a password leak due to transmitting password in plaintext from client to server when generating HMAC.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"last_affected": "1.1.0"
}
],
"source": "CPE_RANGE",
"vendor_product": "tpm2-tools_project:tpm2.0-tools",
"cpes": [
"cpe:2.3:a:tpm2-tools_project:tpm2.0-tools:*:*:*:*:*:*:*:*"
]
}
]
}"2026-07-08T11:36:26Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7524.json"
[
{
"id": "CVE-2017-7524-1f42cbea",
"digest": {
"line_hashes": [
"165864225263249160298319280978989806839",
"101702199380195429949223049532959516637",
"141398387035421838025360045102776212496",
"132721162524462162173643398948651984234"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/tpm2-software/tpm2-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157",
"deprecated": false,
"target": {
"file": "lib/tpm_session.c"
}
},
{
"id": "CVE-2017-7524-3cac7233",
"digest": {
"line_hashes": [
"254586252204020286163600424772410460959",
"267715276469804961707024732313449798564",
"96209342137147007918334866542545933780",
"61462436351685128351119306908089079458",
"249744176489845957321532133817529584492",
"68066838811563690508873151424193431321",
"111944428770312424075453754359133097636",
"188566356146727117938139796888122871583",
"84668445536793509895015590991923055720",
"148183876068730552352551967389787792190",
"216241029137337205359845428063844105867",
"122806264829506449325821273877331396630",
"12174745508328002119354123855945056756",
"223536653181776221487980163870075150186",
"218877022496171811203553951950729292909",
"322104216431582441745300674122233654616",
"321497049247625440062764794916938818065",
"262333223534320976532313262705224003952",
"302219338243683415815112302177723028578",
"36383495230595941201310710958013678540",
"166060360615773013603255372358582010564",
"81803750717646419168791928232866035052",
"337436367418675556541557720125655000557",
"312937810303866225698282412483986704070",
"227831956309741836344402192911207704344",
"240116388559135784296843901733927914121",
"100342313955708255656104704729534435693",
"65742153090328428692705369362083552683",
"150648565365152317463668283419851598634",
"125303902231802358198712180948070081994",
"174266882102331260370959043858417549200",
"64479693297646278223088120909540215723",
"317073501528596307288881965344423040362"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/tpm2-software/tpm2-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157",
"deprecated": false,
"target": {
"file": "lib/tpm_kdfa.c"
}
},
{
"id": "CVE-2017-7524-7445857b",
"digest": {
"function_hash": "206500257403365829074316641019349411178",
"length": 2038.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/tpm2-software/tpm2-tools/commit/b214121c888cd10d8d82bc90ac80a1d09c8f75e7",
"deprecated": false,
"target": {
"function": "KDFa",
"file": "src/kdfa.c"
}
},
{
"id": "CVE-2017-7524-b17f3e58",
"digest": {
"function_hash": "180252340920317230498263520845147375598",
"length": 1298.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/tpm2-software/tpm2-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157",
"deprecated": false,
"target": {
"function": "tpm_kdfa",
"file": "lib/tpm_kdfa.c"
}
},
{
"id": "CVE-2017-7524-f4c3c5f8",
"digest": {
"function_hash": "174969441118826927661811734004315319098",
"length": 1742.0
},
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/tpm2-software/tpm2-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157",
"deprecated": false,
"target": {
"function": "StartAuthSession",
"file": "lib/tpm_session.c"
}
},
{
"id": "CVE-2017-7524-f796da68",
"digest": {
"line_hashes": [
"79624650280437269435151798918185600825",
"215818861346023275373037766164645113839",
"255847061987680970923690854203156260329"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/tpm2-software/tpm2-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157",
"deprecated": false,
"target": {
"file": "lib/tpm_kdfa.h"
}
},
{
"id": "CVE-2017-7524-fe242efb",
"digest": {
"line_hashes": [
"95232300587984678603417555299965509457",
"211355043612182050882646953665675610629",
"166050799514391779778234104619521212724",
"216241029137337205359845428063844105867",
"122806264829506449325821273877331396630",
"12174745508328002119354123855945056756",
"59689071178266084162495364000063890350",
"280035019036607905149730485285488150636",
"322104216431582441745300674122233654616",
"58053240465930277255388524110698863744",
"34335218443412213266875542423680267149",
"116596203688965926185103713128810437403",
"36383495230595941201310710958013678540",
"196097266166245140603975538115910865050",
"249545774669578692851649718526238495669",
"18576325326063074015002145996093186906",
"73987116936596226092070652771480084750",
"299125199620325029034147628022169922764",
"260317421582116880540907365764075980694",
"16355955072778976159693404513184616992",
"227831956309741836344402192911207704344",
"297515138449111958757356083788621255961",
"90569889338864299418359753870513557371",
"278000792060084027892193574476825816672",
"202757043302884322154238710903695843260"
],
"threshold": 0.9
},
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/tpm2-software/tpm2-tools/commit/b214121c888cd10d8d82bc90ac80a1d09c8f75e7",
"deprecated": false,
"target": {
"file": "src/kdfa.c"
}
}
]