CVE-2023-3674
CVE-2023-3674 is a low-severity vulnerability in Keylime with a CVSS 3.x base score of 2.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1283.
Key facts
- Severity: Low (CVSS 3.x base score 2.3)
- EPSS exploit prediction: 0% (10th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-1283
- Affected product: Keylime
- Published:
- Last modified:
Description
A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.
Frequently asked questions
- What is CVE-2023-3674?
- A flaw was found in the keylime attestation verifier, which fails to flag a device's submitted TPM quote as faulty when the quote's signature does not validate for some reason. Instead, it will only emit an error in the log without flagging the device as untrusted.
- How severe is CVE-2023-3674?
- CVE-2023-3674 has a CVSS 3.x base score of 2.3, rated low severity. It is exploitable over local access with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2023-3674 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (10th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-3674?
- CVE-2023-3674 primarily affects Keylime. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-3674?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-3674 published?
- CVE-2023-3674 was published on 2023-07-19 and last updated on 2026-06-17.
References
- https://access.redhat.com/errata/RHSA-2024:1139
- https://access.redhat.com/security/cve/CVE-2023-3674
- https://bugzilla.redhat.com/show_bug.cgi?id=2222903
- https://github.com/keylime/keylime/commit/95ce3d86bd2c53009108ffda2dcf553312d733db
Affected products (2)
- cpe:2.3:a:keylime:keylime:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
More vulnerabilities in Keylime
- CVE-2021-43310 — Critical (CVSS 9.8): A vulnerability in Keylime before 6.3.0 allows an attacker to craft a request to the agent that resets the U and V keys…
- CVE-2021-3406 — Critical (CVSS 9.8): A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the…
- CVE-2026-1709 — Critical (CVSS 9.4): A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer…
- CVE-2022-1053 — Critical (CVSS 9.1): Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and…
- CVE-2023-38200 — High (CVSS 7.5): A flaw was found in Keylime. Due to their blocking nature, the Keylime registrar is subject to a remote denial of…
- CVE-2022-23952 — High (CVSS 7.5): In Keylime before 6.3.0, current keylime installer installs the keylime.conf file, which can contain sensitive data, as…
Other CWE-1283 vulnerabilities
- CVE-2022-1740 — Medium (CVSS 4.6): The tested version of Dominion Voting Systems ImageCast X’s on-screen application hash display feature, audit log…
- CVE-2024-29038 — Medium (CVSS 4.3): tpm2-tools is the source repository for the Trusted Platform Module (TPM2.0) tools. A malicious attacker can generate…