CVE-2024-29040 Affecting tpm2-tss package, versions <4.1.1-r0


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE321-TPM2TSS-8489996
  • published6 Dec 2024
  • disclosed28 Jun 2024

Introduced: 28 Jun 2024

CVE-2024-29040  (opens in a new tab)

How to fix?

Upgrade Alpine:3.21 tpm2-tss to version 4.1.1-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tpm2-tss package and not the tpm2-tss package as distributed by Alpine. See How to fix? for Alpine:3.21 relevant fixed versions and status.

This repository hosts source code implementing the Trusted Computing Group's (TCG) TPM2 Software Stack (TSS). The JSON Quote Info returned by Fapi_Quote has to be deserialized by Fapi_VerifyQuote to the TPM Structure TPMS_ATTEST. For the field TPM2_GENERATED magic of this structure any number can be used in the JSON structure. The verifier can receive a state which does not represent the actual, possibly malicious state of the device under test. The malicious device might get access to data it shouldn't, or can use services it shouldn't be able to. This issue has been patched in version 4.1.0.

CVSS Scores

version 3.1