CVE-2024-32482

April 23, 2024, 6:15 p.m.

2.2
Low

Description

The Tillitis TKey signer device application is an ed25519 signing tool. A vulnerability has been found that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client application and to touch the TKey. No secret is disclosed. All client applications integrating tkey-device-signer should upgrade to version 1.0.0 to receive a fix. No known workarounds are available.

Product(s) Impacted

Product Versions
Tillitis TKey signer device application
  • 1.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://bugbounty.tillitis.se/security-bulletins/tillitis-security-bulletin-240115-1
https://github.com/tillitis/tkey-device-signer/security/advisories/GHSA-frqc-62hv-379p

Tags

CVSS Score

2.2 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: April 23, 2024, 6:15 p.m.
Last Modified: April 23, 2024, 6:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.