PYSEC-2023-128

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/keylime/PYSEC-2023-128.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-128

Aliases

Published

2023-07-19T19:15:00Z

Modified

2023-11-08T04:12:58.209507Z

Severity

2.8 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

References

Affected packages

PyPI / keylime

Package

Name: keylime; View open source insights on deps.dev
Purl: pkg:pypi/keylime

Affected ranges

Type: GIT
Repo: https://github.com/keylime/keylime
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

95ce3d86bd2c53009108ffda2dcf553312d733db

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.2.5

Affected versions

6.*

6.3.1

6.3.2

6.4.0

6.4.1

6.4.2

6.4.3

6.5.0

6.5.1

6.5.2

6.5.3

6.6.0

6.8.0

7.*

7.0.0