{"id":"GO-2022-0294","summary":"Improper input validation in github.com/google/go-attestation","details":"A local attacker can defeat remotely-attested measured boot.\n\nImproper input validation in AKPublic.Verify can cause it to succeed when provided with a maliciously-formed Quote over no/some PCRs. Subsequent use of the same set of PCR values in Eventlog.Verify lacks the authentication performed by quote verification, meaning a local attacker can couple this vulnerability with a maliciously-formed TCG log in Eventlog.Verify to spoof events in the TCG log, defeating remotely-attested measured-boot.","aliases":["CVE-2022-0317","GHSA-99cg-575x-774p"],"modified":"2026-03-17T04:10:45.741233Z","published":"2022-07-15T23:27:21Z","database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-0294"},"references":[{"type":"FIX","url":"https://github.com/google/go-attestation/commit/82f2c9c2c76e1d3691d17ee78116d1d93a123788"}],"affected":[{"package":{"name":"github.com/google/go-attestation","ecosystem":"Go","purl":"pkg:golang/github.com/google/go-attestation"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/google/go-attestation/attest","symbols":["AKPublic.Verify","AKPublic.validate12Quote","AKPublic.validate20Quote","TPM.AttestPlatform"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0294.json"}}],"schema_version":"1.7.5","credits":[{"name":"Nikki VonHollen"}]}