CVE-2024-51997 – The Attestation Results Token can be arbitrarily modified without being detected in Trustee

https://notcve.org/view.php?id=CVE-2024-51997

08 Nov 2024 — Trustee is a set of tools and components for attesting confidential guests and providing secrets to them. The ART (**Attestation Results Token**) token, generated by AS, could be manipulated by MITM attacker, but the verifier (CoCo Verification Demander like KBS) could still verify it successfully. In the payload of ART token, the ‘jwk’ could be replaced by attacker with his own pub key. Then attacker can use his own corresponding private key to sign the crafted ART token. Based on current code implementati... • https://github.com/confidential-containers/trustee/security/advisories/GHSA-7jc6-j236-vvjw • CWE-287: Improper Authentication •