Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN3eG0tbTltNC1jcHJq

Import of incorrectly embargoed keys could cause early publication

Impact

If your installation is using the export-importer service, there is potential impact.
If your installation is not importing keys via the export-importer services, your installation is not impacted.

In versions 0.19.1 and earlier, the export-importer service assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys.

This could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs.

Patches

This is patched in v0.18.3 and all versions 0.19.2 and later.

Workarounds

Ensure that the servers you are importing export zip files from are not publishing keys too early.

References

n/a

For more information

If you have any questions or comments about this advisory

• Open an issue in exposure-notifications-server
• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-3wxm-m9m4-cprj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTN3eG0tbTltNC1jcHJq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: about 2 years ago

Identifiers: GHSA-3wxm-m9m4-cprj
References:

• https://github.com/google/exposure-notifications-server/security/advisories/GHSA-3wxm-m9m4-cprj
• https://github.com/advisories/GHSA-3wxm-m9m4-cprj

Repository: https://github.com/google/exposure-notifications-server
Blast Radius: 0.0

Affected Packages