A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.

Affected Packages

PyPI keylime

Affected versions: 0 (fixed in 7.2.5)

Related CVEs

CVE-2023-3674

Key Information

GHSA ID

GHSA-g4wg-cfpf-9689

Published

July 19, 2023 9:30 PM

Last Modified

September 24, 2024 6:48 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

keylime

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 31, 2025 6:36 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.