blob: 2b29fe15f3f799a922c1cb38e7e0e845c64410a6 [file] [log] [blame]
id: GO-2021-0095
modules:
- module: github.com/google/go-tpm
versions:
- fixed: 0.3.0
vulnerable_at: 0.2.1-0.20200723190029-e82f64f63a31
packages:
- package: github.com/google/go-tpm/tpm
symbols:
- CreateWrapKey
summary: Sensitive information exposure in github.com/google/go-tpm
description: |-
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2
transport is able to calculate usageAuth for keys created using CreateWrapKey,
despite it being encrypted, allowing them to use the created key.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2020-8918
ghsas:
- GHSA-5x29-3hr9-6wpw
credits:
- Chris Fenner
references:
- fix: https://github.com/google/go-tpm/pull/195
- fix: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141
review_status: REVIEWED