{"url":"http://public2.vulnerablecode.io/api/packages/35018?format=json","purl":"pkg:pypi/keylime@6.5.3","type":"pypi","namespace":"","name":"keylime","version":"6.5.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.12.2","latest_non_vulnerable_version":"7.13.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36530?format=json","vulnerability_id":"VCID-brn1-4b8e-kqhf","summary":"A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5080","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5080"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2023-38201","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/security/cve/CVE-2023-38201"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2222693","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2222693"},{"reference_url":"https://github.com/keylime/keylime","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/keylime/keylime"},{"reference_url":"https://github.com/keylime/keylime/commit/9e5ac9f25cd400b16d5969f531cee28290543f2a","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://github.com/keylime/keylime/commit/9e5ac9f25cd400b16d5969f531cee28290543f2a"},{"reference_url":"https://github.com/keylime/keylime/security/advisories/GHSA-f4r5-q63f-gcww","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://github.com/keylime/keylime/security/advisories/GHSA-f4r5-q63f-gcww"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-160.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-160.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIZZB5NHNCS5D2AEH3ZAO6OQC72IK7WS","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZIZZB5NHNCS5D2AEH3ZAO6OQC72IK7WS"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38201","reference_id":"CVE-2023-38201","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38201"},{"reference_url":"https://github.com/advisories/GHSA-f4r5-q63f-gcww","reference_id":"GHSA-f4r5-q63f-gcww","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f4r5-q63f-gcww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35345?format=json","purl":"pkg:pypi/keylime@7.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mqxg-478p-23cn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keylime@7.5.0"}],"aliases":["CVE-2023-38201","GHSA-f4r5-q63f-gcww","PYSEC-2023-160"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-brn1-4b8e-kqhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37203?format=json","vulnerability_id":"VCID-mqxg-478p-23cn","summary":"A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2224","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/errata/RHSA-2026:2224"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2225","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/errata/RHSA-2026:2225"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2298","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/errata/RHSA-2026:2298"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2026-1709","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/security/cve/CVE-2026-1709"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435514","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2435514"},{"reference_url":"https://github.com/keylime/keylime","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/keylime/keylime"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1709","reference_id":"CVE-2026-1709","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1709"},{"reference_url":"https://github.com/advisories/GHSA-4jqp-9qjv-57m2","reference_id":"GHSA-4jqp-9qjv-57m2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4jqp-9qjv-57m2"},{"reference_url":"https://github.com/keylime/keylime/security/advisories/GHSA-4jqp-9qjv-57m2","reference_id":"GHSA-4jqp-9qjv-57m2","reference_type":"","scores":[],"url":"https://github.com/keylime/keylime/security/advisories/GHSA-4jqp-9qjv-57m2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/47235?format=json","purl":"pkg:pypi/keylime@7.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-af9x-v3fm-3ffh"},{"vulnerability":"VCID-mqxg-478p-23cn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keylime@7.12.0"},{"url":"http://public2.vulnerablecode.io/api/packages/73929?format=json","purl":"pkg:pypi/keylime@7.12.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keylime@7.12.2"},{"url":"http://public2.vulnerablecode.io/api/packages/73930?format=json","purl":"pkg:pypi/keylime@7.13.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keylime@7.13.1"}],"aliases":["CVE-2026-1709","GHSA-4jqp-9qjv-57m2","PYSEC-2026-74"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqxg-478p-23cn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36494?format=json","vulnerability_id":"VCID-v57m-t456-xkfd","summary":"A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2024:1139","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:1139"},{"reference_url":"https://access.redhat.com/security/cve/CVE-2023-3674","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/security/cve/CVE-2023-3674"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2222903","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2222903"},{"reference_url":"https://github.com/keylime/keylime","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/keylime/keylime"},{"reference_url":"https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db","reference_id":"","reference_type":"","scores":[{"value":"2.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"}],"url":"https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-128.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2023-128.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3674","reference_id":"CVE-2023-3674","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3674"},{"reference_url":"https://github.com/advisories/GHSA-g4wg-cfpf-9689","reference_id":"GHSA-g4wg-cfpf-9689","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-g4wg-cfpf-9689"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35022?format=json","purl":"pkg:pypi/keylime@7.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-brn1-4b8e-kqhf"},{"vulnerability":"VCID-mqxg-478p-23cn"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keylime@7.2.5"}],"aliases":["CVE-2023-3674","GHSA-g4wg-cfpf-9689","PYSEC-2023-128"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v57m-t456-xkfd"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/keylime@6.5.3"}