Homepage
About Snyk

Improper Input Validation Affecting keylime package, versions [,6.4.0)

0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    EPSS 0.2% (58th percentile)
Expand this section
NVD
9.1 critical
Expand this section
SUSE
9.1 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-KEYLIME-2808854
  • published 6 May 2022
  • disclosed 5 May 2022
  • credit THS-on
Report a new vulnerability Found a mistake?

Introduced: 5 May 2022

CVE-2022-1053 Open this link in a new tab
CWE-354 Open this link in a new tab

How to fix?

Upgrade keylime to version 6.4.0 or higher.

Overview

keylime is a TPM-based key bootstrapping and system integrity measurement system for cloud

Affected versions of this package are vulnerable to Improper Input Validation in Tenant and Verifier which does not use the same registrar data. It allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM.

References