Home > Vulnerability Database > CVE-2022-0317

Mend.io Vulnerability Database

CVE-2022-0317

Good to know:

Date: February 4, 2022

An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above.

Language: Go

Severity Score

4.0

Related Resources (6)

Url: https://github.com/google/go-attestation

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-0317

Url: https://pkg.go.dev/vuln/GO-2022-0294

Url: https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p

Url: https://github.com/google/go-attestation/commit/82f2c9c2c76e1d3691d17ee78116d1d93a123788

Url: https://www.mend.io/vulnerability-database/CVE-2022-0317

Severity Score

4.0

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version 0.4.0

Learn More

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	2.1
Access Vector (AV):	LOCAL
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2022-0317

Good to know:

Date: February 4, 2022

Language: Go

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?