Closed
Description
In GitHub Security Advisory GHSA-3wxm-m9m4-cprj, there is a vulnerability in the following Go packages or modules:
| Unit | Fixed | Vulnerable Ranges |
|---|---|---|
| github.com/google/exposure-notifications-server | 0.19.2 | >= 0.19.0, < 0.19.2 |
See doc/triage.md for instructions on how to triage this report.
package: github.com/google/exposure-notifications-server
additional_packages:
- package: github.com/google/exposure-notifications-server
versions:
- introduced: v0.0.0
fixed: v0.18.3
versions:
- introduced: v0.19.0
fixed: v0.19.2
description: "### Impact\n\nIf your installation is using the `export-importer` service,
there is potential impact.\nIf your installation is not importing keys via the
`export-importer` services, your installation is not impacted.\n\nIn versions
`0.19.1` and earlier, the `export-importer` service assumed that the server it
was importing from had properly embargoed keys for at least 2 hours after their
expiry time. There are now known instances of servers that did not properly embargo
keys.\n\nThis could allow allow for imported keys to be re-published before they
have expired, allowing for potential replay of RPIs.\n\n### Patches\n\nThis is
patched in `v0.18.3` and all versions `0.19.2` and later.\n\n### Workarounds\n\nEnsure
that the servers you are importing export zip files from are not publishing keys
too early. \n\n### References\n\nn/a\n\n### For more information\n\nIf you have
any questions or comments about this advisory\n* Open an issue in [exposure-notifications-server](https://github.com/google/exposure-notifications-server/)\n*
Email us at [exposure-notifications-feedback@google.com](mailto:exposure-notifications-feedback@google.com)"
published: 2021-05-21T16:24:44Z
last_modified: 2021-05-21T16:24:44Z
ghsas:
- GHSA-3wxm-m9m4-cprj