CVE-2022-23949
First published: Wed Sep 21 2022(Updated: )
In Keylime before 6.3.0, unsanitized UUIDs can be passed by a rogue agent and can lead to log spoofing on the verifier and registrar.
Credit: patrick@puiterwijk.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Keylime Keylime | <6.3.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/keylime/keylime/commit/387e320dc22c89f4f47c68cb37eb9eec2137f34b
- https://github.com/keylime/keylime/commit/65c2b737129b5837f4a03660aeb1191ced275a57
- https://github.com/keylime/keylime/commit/e429e95329fc60608713ddfb82f4a92ee3b3d2d9
- https://github.com/keylime/keylime/security/advisories/GHSA-87gh-qc28-j9mm
- https://seclists.org/oss-sec/2022/q1/101
Frequently Asked Questions
What is CVE-2022-23949?
CVE-2022-23949 is a vulnerability in Keylime before version 6.3.0 that allows for log spoofing on the verifier and registrar due to unsanitized UUIDs passed by a rogue agent.
How does CVE-2022-23949 affect Keylime?
CVE-2022-23949 affects Keylime versions before 6.3.0 and can be exploited by passing unsanitized UUIDs to spoof logs on the verifier and registrar.
What is the severity of CVE-2022-23949?
CVE-2022-23949 has a severity rating of 7.5 out of 10 (high severity).
How can I fix CVE-2022-23949?
To fix CVE-2022-23949, upgrade Keylime to version 6.3.0 or newer.
What is the Common Weakness Enumeration (CWE) ID for CVE-2022-23949?
The Common Weakness Enumeration (CWE) ID for CVE-2022-23949 is CWE-290.
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/keylime
- canonical/keylime keylime