CNNVD-202510-2085 Information

CNNVD ID

CNNVD-202510-2085

Related CVE

CVE-2025-62375

• CNNVD Published: 2025-10-15

Description (Chinese)

go-witness是in-toto开源的一个Golang库。 go-witness 0.8.6及之前版本存在信任管理问题漏洞，该漏洞源于AWS attestor未正确验证AWS EC2实例身份文档，可能导致伪造身份文档被接受。

Description (English)

Go-witness is an in-toto open-source Golang library. Go-witness 0.8.6 and earlier versions have a confidence management management gap, which stems from the fact that AWS attestor did not correctly verify the AWS EC2 case identity file, which may lead to the acceptance of a false identity document.

Hazard Level

High

Vulnerability Type

信任管理问题

Affected Vendor

in-toto

Published

2025-10-15

Last Modified

2026-02-24

References

https://github.com/in-toto/go-witness/commit/04ff20b600e28ce8fd1aa287534dd383a1cfefb9 https://github.com/in-toto/go-witness/security/advisories/GHSA-72c7-4g63-hpw5 https://access.redhat.com/security/cve/cve-2025-62375

Patch

https://github.com/in-toto/go-witness/releases