Improper Input Validation Affecting keylime package, versions [,6.4.0)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.2% (58th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-KEYLIME-2808854
  • published6 May 2022
  • disclosed5 May 2022
  • creditTHS-on

Introduced: 5 May 2022

CVE-2022-1053  (opens in a new tab)
CWE-354  (opens in a new tab)

How to fix?

Upgrade keylime to version 6.4.0 or higher.

Overview

keylime is a TPM-based key bootstrapping and system integrity measurement system for cloud

Affected versions of this package are vulnerable to Improper Input Validation in Tenant and Verifier which does not use the same registrar data. It allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM.

References

CVSS Scores

version 3.1