GHSA-3WXM-M9M4-CPRJ
Vulnerability from github – Published: 2021-05-21 16:24 – Updated: 2021-05-20 20:24Impact
If your installation is using the export-importer service, there is potential impact.
If your installation is not importing keys via the export-importer services, your installation is not impacted.
In versions 0.19.1 and earlier, the export-importer service assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys.
This could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs.
Patches
This is patched in v0.18.3 and all versions 0.19.2 and later.
Workarounds
Ensure that the servers you are importing export zip files from are not publishing keys too early.
References
n/a
For more information
If you have any questions or comments about this advisory * Open an issue in exposure-notifications-server * Email us at exposure-notifications-feedback@google.com
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/google/exposure-notifications-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.18.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/google/exposure-notifications-server"
},
"ranges": [
{
"events": [
{
"introduced": "0.19.0"
},
{
"fixed": "0.19.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T20:24:22Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nIf your installation is using the `export-importer` service, there is potential impact.\nIf your installation is not importing keys via the `export-importer` services, your installation is not impacted.\n\nIn versions `0.19.1` and earlier, the `export-importer` service assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys.\n\nThis could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs.\n\n### Patches\n\nThis is patched in `v0.18.3` and all versions `0.19.2` and later.\n\n### Workarounds\n\nEnsure that the servers you are importing export zip files from are not publishing keys too early. \n\n### References\n\nn/a\n\n### For more information\n\nIf you have any questions or comments about this advisory\n* Open an issue in [exposure-notifications-server](https://github.com/google/exposure-notifications-server/)\n* Email us at [exposure-notifications-feedback@google.com](mailto:exposure-notifications-feedback@google.com)",
"id": "GHSA-3wxm-m9m4-cprj",
"modified": "2021-05-20T20:24:22Z",
"published": "2021-05-21T16:24:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/google/exposure-notifications-server/security/advisories/GHSA-3wxm-m9m4-cprj"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Import of incorrectly embargoed keys could cause early publication"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.