Manipulation of ART Token Code Puts Trustee Users at Risk of Attack
CVE-2024-51997

8.1HIGH

Key Information:

Vendor: Confidential-containers
Status: Trustee
Vendor: CVE Published:; 8 November 2024

🔔 Create Confidential-containers Vulnerability Alert

What is CVE-2024-51997?

A vulnerability exists in Trustee, a suite of tools designed for attesting confidential guests and managing sensitive secrets. This issue stems from the ART (Attestation Results Token) token, which can be exploited by a man-in-the-middle (MITM) attacker. In the current implementation (v0.8.0), an attacker can replace the 'jwk' within the ART token payload with their own public key, allowing them to create a maliciously crafted ART token using their corresponding private key. This modification goes undetected by the verifier, such as the CoCo Verification Demander (e.g., KBS), leading to potential security breaches. This vulnerability has been addressed in version 0.8.2, and users are strongly encouraged to upgrade to the latest version, as no workarounds exist.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

trustee < 0.8.2

References

https://github.com/confidential-containers/trustee/securi...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2024
Vulnerability Reserved
Nov 4, 2024

JSON

Confidential-containers

What is CVE-2024-51997?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.