Nikki Vonhollen

**Name of the Vulnerable Software and Affected Versions** go-attestation versions prior to 0.4.0 **Description** The issue is caused by improper input validation in `AKPublic.Verify`, allowing local users to provide a maliciously-formed Quote over no/some PCRs, causing `AKPublic.Verify` to succeed despite the inconsistency. Subsequent use of the same set of PCR values in `Eventlog.Verify` lacks the authentication performed by quote verification, meaning a local attacker could couple this vulnerability with a maliciously-crafted TCG log in `Eventlog.Verify` to spoof events in the TCG log, hence defeating remotely-attested measured-boot. **Recommendations** For go-attestation versions prior to 0.4.0, upgrade to version 0.4.0 or above to resolve the issue. If your usage of this library verifies PCRs using multiple quotes, make sure to use the new method `AKPublic.VerifyAll()` instead of `AKPublic.Verify`.