x/vulndb: potential Go vuln in github.com/in-toto/go-witness: GHSA-72c7-4g63-hpw5 #4028
Description
Advisory GHSA-72c7-4g63-hpw5 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/in-toto/go-witness |
Description:
Impact
This vulnerability only affects users of the AWS attestor.
Users of the AWS attestor could have unknowingly received a forged identity document. While this may seem unlikely, AWS recently issued a security bulletin about IMDS (Instance Metadata Service) impersonation.[^1]
There are multiple locations where the verification of the identity document will mistakenly report a successful verification.
-
If a signature is not present or is empty
https://github.com/in-toto/go-witness/blob/0c8bb30c143951d88b1d4b32f260c5f67d30137b/attestation/aws-iid/aws-iid.go#L161-L163 -
If the RSA ver...
References:
- ADVISORY: GHSA-72c7-4g63-hpw5
- ADVISORY: GHSA-72c7-4g63-hpw5
- FIX: in-toto/go-witness@04ff20b
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/in-toto/go-witness
versions:
- fixed: 0.9.1
vulnerable_at: 0.9.0
summary: go-witness is Vulnerable to Improper Verification of AWS EC2 Identity Documents in github.com/in-toto/go-witness
cves:
- CVE-2025-62375
ghsas:
- GHSA-72c7-4g63-hpw5
references:
- advisory: https://github.com/advisories/GHSA-72c7-4g63-hpw5
- advisory: https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5
- fix: https://github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9
source:
id: GHSA-72c7-4g63-hpw5
created: 2025-10-15T21:01:14.852173972Z
review_status: UNREVIEWED