CVE-2022-23951

low-risk
Published 2022-09-21

In Keylime before 6.3.0, quote responses from the agent can contain possibly untrusted ZIP data which can lead to zip bombs.

Do I need to act?

-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Keylime

Affected Vendors

Keylime

References (6)

Patch https://github.com/keylime/keylime/commit/6e44758b64b0ee13564fc46e807f4ba98091c3...
Third Party Advisory https://github.com/keylime/keylime/security/advisories/GHSA-6xx7-m45w-76m2
Exploit https://seclists.org/oss-sec/2022/q1/101
Patch https://github.com/keylime/keylime/commit/6e44758b64b0ee13564fc46e807f4ba98091c3...
Third Party Advisory https://github.com/keylime/keylime/security/advisories/GHSA-6xx7-m45w-76m2
Exploit https://seclists.org/oss-sec/2022/q1/101
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal