CVE-2023-38200
HIGH7.5EPSS 0.26%Keylime's registrar vulnerable to Denial-of-service attack via a single open connection
Published: 8/1/2023Modified: 2/14/2025
Description
### Impact Keylime `registrar` is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port (by default, port `8891`) blocking further, legitimate connections. As long as the connection is open, the `registrar` is blocked and cannot serve any further clients (`agents` and `tenants`), which prevents normal operation. The problem does not affect the `verifier`. ### Patches Users should upgrade to release 7.4.0
Affected packages (1)
- PyPI/keylimefrom 0, < 7.4.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-38200
- PATCHhttps://github.com/keylime/keylime
- WEBhttps://access.redhat.com/security/cve/CVE-2023-38200
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2222692
- WEBhttps://github.com/keylime/keylime/commit/c68d8f0b7ea549c12b6956ab0f3c28ae0360ae17
- WEBhttps://github.com/keylime/keylime/pull/1421
- WEBhttps://github.com/keylime/keylime/releases/tag/v7.4.0
- WEBhttps://github.com/keylime/keylime/security/advisories/GHSA-pg75-v6fp-8q59