一、 漏洞 CVE-2025-62375 基础信息
漏洞信息
                                        # Go-Witness AWS EC2 身份文档验证漏洞

N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
go-witness Improper Verification of AWS EC2 Identity Documents
来源:美国国家漏洞数据库 NVD
漏洞描述信息
go-witness and witness are Go modules for generating attestations. In go-witness versions 0.8.6 and earlier and witness versions 0.9.2 and earlier the AWS attestor improperly verifies AWS EC2 instance identity documents. Verification can incorrectly succeed when a signature is not present or is empty, and when RSA signature verification fails. The attestor also embeds a single legacy global AWS public certificate and does not account for newer region specific certificates issued in 2024, making detection of forged documents difficult without additional trusted region data. An attacker able to supply or intercept instance identity document data (such as through Instance Metadata Service impersonation) can cause a forged identity document to be accepted, leading to incorrect trust decisions based on the attestation. This is fixed in go-witness 0.9.1 and witness 0.10.1. As a workaround, manually verify the included identity document, signature, and public key with standard tools (for example openssl) following AWS’s verification guidance, or disable use of the AWS attestor until upgraded.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
证书验证不恰当
来源:美国国家漏洞数据库 NVD
漏洞标题
go-witness 信任管理问题漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
go-witness是in-toto开源的一个Golang库。 go-witness 0.8.6及之前版本存在信任管理问题漏洞,该漏洞源于AWS attestor未正确验证AWS EC2实例身份文档,可能导致伪造身份文档被接受。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
信任管理问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-62375 的公开POC
# POC 描述 源链接 神龙链接
三、漏洞 CVE-2025-62375 的情报信息
四、漏洞 CVE-2025-62375 的评论

暂无评论

发表评论