Products
Tillitis TKey signer device application
- 1.0.0
Source
security-advisories@github.com
Tags
CVE-2024-32482 details
Published : April 23, 2024, 6:15 p.m.
Last Modified : April 23, 2024, 6:15 p.m.
Last Modified : April 23, 2024, 6:15 p.m.
Description
The Tillitis TKey signer device application is an ed25519 signing tool. A vulnerability has been found that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client application and to touch the TKey. No secret is disclosed. All client applications integrating tkey-device-signer should upgrade to version 1.0.0 to receive a fix. No known workarounds are available.
CVSS Score
| 1 | 2.2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|
CVSS Data
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
Base Score
2.2
Exploitability Score
Impact Score
Base Severity
LOW
Vector String : CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
References
| URL | Source |
|---|---|
| https://bugbounty.tillitis.se/security-bulletins/tillitis-security-bulletin-240115-1 | security-advisories@github.com |
| https://github.com/tillitis/tkey-device-signer/security/advisories/GHSA-frqc-62hv-379p | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.