CVE-2020-8918
Sensitive information exposure in github.com/google/go-tpm
7.1
HIGH
CVSS 3.1
EPSS 0.02%
Description
Due to repeated usage of a XOR key an attacker that can eavesdrop on the TPM 1.2 transport is able to calculate usageAuth for keys created using CreateWrapKey, despite it being encrypted, allowing them to use the created key.
How to fix CVE-2020-8918
To remediate CVE-2020-8918, upgrade the affected package to a fixed version below.
- —upgrade to 0.3.0 or later
- —upgrade to 0.3.0 or later
Is CVE-2020-8918 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 0.3.0
- from 0, < 0.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |