Description

Trustee is a set of tools and components for attesting confidential guests and providing secrets to them. The ART (**Attestation Results Token**) token, generated by AS, could be manipulated by MITM attacker, but the verifier (CoCo Verification Demander like KBS) could still verify it successfully. In the payload of ART token, the ‘jwk’ could be replaced by attacker with his own pub key. Then attacker can use his own corresponding private key to sign the crafted ART token. Based on current code implementation (v0.8.0), such replacement and modification can not be detected. This issue has been addressed in version 0.8.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-11-08T18:40:31.701Z

Last Modified :

2024-11-12T17:17:50.487Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-51997 vulnerability.

Vendors Products
Confidential-containers
  • Trustee
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-51997.

URL Resource
https://github.com/confidential-containers/trustee/security/advisories/GHSA-7jc6-j236-vvjw cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact