{"id":"PYSEC-2023-160","details":"A flaw was found in the Keylime registrar that could allow a bypass of the challenge-response protocol during agent registration. This issue may allow an attacker to impersonate an agent and hide the true status of a monitored machine if the fake agent is added to the verifier list by a legitimate user, resulting in a breach of the integrity of the registrar database.","aliases":["CVE-2023-38201","GHSA-f4r5-q63f-gcww"],"modified":"2023-11-08T04:13:06.956471Z","published":"2023-08-25T17:15:00Z","references":[{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2023-38201"},{"type":"ADVISORY","url":"https://github.com/keylime/keylime/security/advisories/GHSA-f4r5-q63f-gcww"},{"type":"FIX","url":"https://github.com/keylime/keylime/commit/9e5ac9f25cd400b16d5969f531cee28290543f2a"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2222693"}],"affected":[{"package":{"name":"keylime","ecosystem":"PyPI","purl":"pkg:pypi/keylime"},"ranges":[{"type":"GIT","repo":"https://github.com/keylime/keylime","events":[{"introduced":"0"},{"fixed":"9e5ac9f25cd400b16d5969f531cee28290543f2a"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.5.0"}]}],"versions":["6.3.1","6.3.2","6.4.0","6.4.1","6.4.2","6.4.3","6.5.0","6.5.1","6.5.2","6.5.3","6.6.0","6.8.0","7.0.0","7.2.5","7.3.0","7.4.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/keylime/PYSEC-2023-160.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}