Google/Go Tpm Library
Approved changes feed: RSS · Atom
cpe:2.3:a:google_llc:google/go-tpm_library:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Google Llc (c72c74b5-1c39-5d47-98b8-8dacb6f7d99a) |
|---|---|
| Product | Google/Go Tpm Library (35ee8ce6-29e9-5498-8f7f-5a9a192a6552) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2020-8918 |
vulnerable | 2026-06-03 14:43:12.126315 |
TPM 1.2 key authorization values are vulnerable to a TPM transport eavesdropper
MEDIUM (6.3)
An improperly initialized 'migrationAuth' value in Google's go-tpm TPM1.2 library versions prior to 0.3.0 can lead an eavesdropping attacker to discover the auth value for a key created with CreateWrapKey. An attacker listening in on the channel can collect both 'encUsageAuth' and 'encMigrationAuth', and then can calculate 'usageAuth ^ encMigrationAuth' as the 'migrationAuth' can be guessed for all keys created with CreateWrapKey. TPM2.0 is not impacted by this. We recommend updating your library to 0.3.0 or later, or, if you cannot update, to call CreateWrapKey with a random 20-byte value for 'migrationAuth'.
Published: 2020-08-11T18:35:11.000Z
Updated: 2024-08-04T10:12:11.062Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.