Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-e4rm-c82g-fbff
Vulnerability ID VCID-e4rm-c82g-fbff
Aliases CVE-2022-1053
GHSA-jf66-3q76-h5p5
PYSEC-2022-184
Summary Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM to pass EK validation and give the verifier an AK of a software TPM. A successful attack breaks the entire chain of trust because a not validated AK is used by the verifier. This issue is worse if the validation happens first and then the agent gets added to the verifier because the timing is easier and the verifier does not validate the regcount entry being equal to 1,
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-20 Improper Input Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://bugzilla.redhat.com/show_bug.cgi?id=2065024
https://bugzilla.redhat.com/show_bug.cgi?id=2065024,
https://github.com/advisories/GHSA-jf66-3q76-h5p5
https://github.com/keylime/keylime
https://github.com/keylime/keylime/commit/bd5de712acdd77860e7dc58969181e16c7a8dc5d
https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5,
https://github.com/pypa/advisory-database/tree/main/vulns/keylime/PYSEC-2022-184.yaml
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A7WAKVXM7L5D2DUACV6EHA6EJNAX2GVL
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A7WAKVXM7L5D2DUACV6EHA6EJNAX2GVL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RF6QHU4UGSBATC3HOOE7OP66CYVTR7CV
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RF6QHU4UGSBATC3HOOE7OP66CYVTR7CV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEW2PAXO5YGLDLPG45YV2OPLJXJSCECQ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEW2PAXO5YGLDLPG45YV2OPLJXJSCECQ/
CVE-2022-1053 https://nvd.nist.gov/vuln/detail/CVE-2022-1053
GHSA-jf66-3q76-h5p5 https://github.com/keylime/keylime/security/advisories/GHSA-jf66-3q76-h5p5
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:17:20.141716+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/keylime/PYSEC-2022-184.yaml 38.6.0