CVE-2022-23949

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Keylime before 6.3.0, unsanitized UUIDs can be passed by a rogue agent and can lead to log spoofing on the verifier and registrar.

En Keylime versiones anteriores a 6.3.0, los UUIDs no saneados pueden ser pasados por un agente deshonesto y pueden conllevar a una suplantación de registros en el verificador y el registrador

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-25 CVE Reserved
2022-09-21 CVE Published
2024-04-13 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-290: Authentication Bypass by Spoofing

CAPEC

References (5)

URL	Tag	Source
https://github.com/keylime/keylime/security/advisories/GHSA-87gh-qc28-j9mm	Third Party Advisory

URL	Date	SRC
https://seclists.org/oss-sec/2022/q1/101	2024-08-03

URL	Date	SRC
https://github.com/keylime/keylime/commit/387e320dc22c89f4f47c68cb37eb9eec2137f34b	2022-12-21
https://github.com/keylime/keylime/commit/65c2b737129b5837f4a03660aeb1191ced275a57	2022-12-21
https://github.com/keylime/keylime/commit/e429e95329fc60608713ddfb82f4a92ee3b3d2d9	2022-12-21

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Keylime Search vendor "Keylime"		Keylime Search vendor "Keylime" for product "Keylime"				< 6.3.0 Search vendor "Keylime" for product "Keylime" and version " < 6.3.0"		-		Affected