Skip to content

Import of incorrectly embargoed keys could cause early publication

Moderate severity GitHub Reviewed Published Apr 1, 2021 in google/exposure-notifications-server • Updated Jan 9, 2023

Package

gomod github.com/google/exposure-notifications-server (Go)

Affected versions

< 0.18.3
>= 0.19.0, < 0.19.2

Patched versions

0.18.3
0.19.2

Description

Impact

If your installation is using the export-importer service, there is potential impact.
If your installation is not importing keys via the export-importer services, your installation is not impacted.

In versions 0.19.1 and earlier, the export-importer service assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys.

This could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs.

Patches

This is patched in v0.18.3 and all versions 0.19.2 and later.

Workarounds

Ensure that the servers you are importing export zip files from are not publishing keys too early.

References

n/a

For more information

If you have any questions or comments about this advisory

References

@mikehelmick mikehelmick published to google/exposure-notifications-server Apr 1, 2021
Reviewed May 20, 2021
Published to the GitHub Advisory Database May 21, 2021
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-3wxm-m9m4-cprj

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.