CVE-2022-3500 — Uncaught Exception in Keylime

CWE-248 — Uncaught Exception7 documents6 sources

Severity

5.1MEDIUMNVD

EPSS

0.2%

top 64.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Keylime Fedoraproject Fedora Redhat Enterprise Linux

Timeline

PublishedNov 22

Description

A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state but not verifying that anymore.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 1.4 | Impact: 3.6

Affected Packages3 packages

▶NVDkeylime/keylime< 6.5.1

▶PyPIkeylime/keylime< 6.5.1

▶CVEListV5keylime/keylimekeylime 6.5.2

Also affects: Fedora 35, 36, 37, Enterprise Linux 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-3500: A vulnerability was found in keylime↗2022-11-22

▶

CVEList

CVE-2022-3500: A vulnerability was found in keylime↗2022-11-22

▶

OSV

Keylime: unhandled exceptions could lead to invalid attestation states↗2022-10-28

▶

GHSA

Keylime: unhandled exceptions could lead to invalid attestation states↗2022-10-28

▶

💥Exploits & PoCs

Exploit-DB

Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)↗2022-06-27

▶

📋Vendor Advisories

Red Hat

keylime: exception handling and impedance match in tornado_requests↗2022-10-27

▶