Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23950: Keylime: Revocation Notifier's UNIX unprivileged domain socket which can allow DOS

In Keylime before 6.3.0, Revocation Notifier uses a fixed /tmp path for UNIX domain socket which can allow unprivileged users a method to prohibit keylime operations.

CVE

Impact

Revocation Notifier uses a fixed /tmp path for UNIX domain socket which can allow unprivileged users a method to prohibit keylime operations.

Patches

Users should upgrade to at least 6.3.x.

Workarounds

None

Credit

Many thanks to Matthias Gerstner for finding this issue and for Alberto Planas for the fix.

For more information

If you have any questions or comments about this advisory:

Related news

CVE-2022-23952: Multiple Security Issues (including remote code execution in the Agent component)

In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as world-readable.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907