github.com/lf-edge/eve (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/lf-edge/eve, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2023-43632 — CVSS 9.0 (critical): As noted in the “VTPM.md” file in the eve documentation, “VTPM is a server listening on port 8877 in EVE, exposing limited…
CVE-2023-43631 — CVSS 8.8 (high): On boot, the Pillar eve container checks for the existence and content of “/config/authorized_keys”. If the file is present, and…
CVE-2023-43633 — CVSS 8.8 (high): On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it…
CVE-2023-43634 — CVSS 8.8 (high): When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE…
CVE-2023-43635 — CVSS 8.8 (high): Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the…
CVE-2023-43636 — CVSS 8.8 (high): In EVE OS, the “measured boot” mechanism prevents a compromised device from accessing the encrypted data located in the vault. As per…
CVE-2023-43630 — CVSS 8.8 (high): PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit…
CVE-2023-43637 — CVSS 7.8 (high): Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes…