Skip to content

Keylime: Quote responses subject to Zip bomb attacks

High
mpeters published GHSA-6xx7-m45w-76m2 Jan 27, 2022

Package

keylime (Keylime)

Affected versions

<6.2.0

Patched versions

6.3.0

Description

Impact

Quote responses from the agent can contain possibly untrusted ZIP data which can lead to zip bombs.

Patches

Users should upgrade to at least 6.3.x.

Workarounds

None

Credit

Many thanks to Matthias Gerstner for finding this issue and for Thore Sommer for the fix.

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2022-23951

Weaknesses

No CWEs

Credits