GHSA-3wxm-m9m4-cprj – github.com/google/exposure-notifications-server

Package

Manager: go
Name: github.com/google/exposure-notifications-server
Vulnerable Version: >=0 <0.18.3 || >=0.19.0 <0.19.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Import of incorrectly embargoed keys could cause early publication ### Impact If your installation is using the `export-importer` service, there is potential impact. If your installation is not importing keys via the `export-importer` services, your installation is not impacted. In versions `0.19.1` and earlier, the `export-importer` service assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys. This could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs. ### Patches This is patched in `v0.18.3` and all versions `0.19.2` and later. ### Workarounds Ensure that the servers you are importing export zip files from are not publishing keys too early. ### References n/a ### For more information If you have any questions or comments about this advisory * Open an issue in [exposure-notifications-server](https://github.com/google/exposure-notifications-server/) * Email us at [exposure-notifications-feedback@google.com](mailto:exposure-notifications-feedback@google.com)

Metadata

Created: 2021-05-21T16:24:44Z
Modified: 2021-05-20T20:24:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-3wxm-m9m4-cprj/GHSA-3wxm-m9m4-cprj.json
CWE IDs: []
Alternative ID: N/A
Finding: F087
Auto approve: 1