CVE-2023-3674

A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

Published: Jul 19, 2023
Updated: Apr 26, 2024
CVE: CVE-2023-3674
GHSA: GHSA-g4wg-cfpf-9689
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 2.8
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWEs:

CWE-1283

Affected Software
References

Software	From	Fixed in
keylime	-	7.2.5
keylime / keylime	-	7.2.5
fedoraproject / fedora	38	38.x

https://access.redhat.com/errata/RHSA-2024:1139
https://access.redhat.com/security/cve/CVE-2023-3674
https://bugzilla.redhat.com/show_bug.cgi?id=2222903
https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db
https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-128.yaml

Vulnerability Database

289,599

CVE-2023-3674