data/reports/GO-2021-0095.yaml - vulndb - Git at Google

 id: GO-2021-0095
 modules:
     - module: github.com/google/go-tpm
       versions:
         - fixed: 0.3.0
       vulnerable_at: 0.2.1-0.20200723190029-e82f64f63a31
       packages:
         - package: github.com/google/go-tpm/tpm
           symbols:
             - CreateWrapKey
 summary: Sensitive information exposure in github.com/google/go-tpm
 description: |-
     Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2
     transport is able to calculate usageAuth for keys created using CreateWrapKey,
     despite it being encrypted, allowing them to use the created key.
 published: 2021-04-14T20:04:52Z
 cves:
     - CVE-2020-8918
 ghsas:
     - GHSA-5x29-3hr9-6wpw
 credits:
     - Chris Fenner
 references:
     - fix: https://github.com/google/go-tpm/pull/195
     - fix: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141
	id: GO-2021-0095
	modules:
	- module: github.com/google/go-tpm
	versions:
	- fixed: 0.3.0
	vulnerable_at: 0.2.1-0.20200723190029-e82f64f63a31
	packages:
	- package: github.com/google/go-tpm/tpm
	symbols:
	- CreateWrapKey
	summary: Sensitive information exposure in github.com/google/go-tpm
	description: \|-
	Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2
	transport is able to calculate usageAuth for keys created using CreateWrapKey,
	despite it being encrypted, allowing them to use the created key.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2020-8918
	ghsas:
	- GHSA-5x29-3hr9-6wpw
	credits:
	- Chris Fenner
	references:
	- fix: https://github.com/google/go-tpm/pull/195
	- fix: https://github.com/google/go-tpm/commit/d7806cce857a1a020190c03348e5361725d8f141