{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T14:13:44.510","vulnerabilities":[{"cve":{"id":"CVE-2022-0317","sourceIdentifier":"cve-coordination@google.com","published":"2022-02-04T23:15:12.510","lastModified":"2024-11-21T06:38:21.880","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"An improper input validation vulnerability in go-attestation before 0.3.3 allows local users to provide a maliciously-formed Quote over no/some PCRs, causing AKPublic.Verify to succeed despite the inconsistency. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in Eventlog.Verify to spoof events in the TCG log, hence defeating remotely-attested measured-boot. We recommend upgrading to Version 0.4.0 or above."},{"lang":"es","value":"Una vulnerabilidad de Comprobación de Entrada Inapropiada en go-attestation versiones anteriores a 0.3.3, permite a usuarios locales proporcionar una cita con forma maliciosa sobre no/algunas PCR, causando que AKPublic.Verify tenga éxito a pesar de la inconsistencia. El uso posterior del mismo conjunto de valores de PCR en Eventlog.Verify carece de la autenticación llevada a cabo por la verificación de citas, lo que significa que un atacante local podría acoplar esta vulnerabilidad con un registro TCG diseñado de forma maliciosa en Eventlog.Verify para falsificar eventos en el registro TCG, derrotando así el arranque medido comprobado de forma remota. Recomendamos actualizar a la versión 0.4.0 o superior"}],"metrics":{"cvssMetricV31":[{"source":"cve-coordination@google.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":4.0,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.5,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":3.3,"baseSeverity":"LOW","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":1.4}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:N/I:P/A:N","baseScore":2.1,"accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"cve-coordination@google.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:google:go-attestation:*:*:*:*:*:*:*:*","versionEndExcluding":"0.3.3","matchCriteriaId":"E662172D-83A5-40CD-8EB7-44ED2E93ABD7"}]}]}],"references":[{"url":"https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p","source":"cve-coordination@google.com","tags":["Third Party Advisory"]},{"url":"https://github.com/google/go-attestation/security/advisories/GHSA-99cg-575x-774p","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]}]}}]}