PT-2025-41491 · Unknown · Confidential Containers Trustee
Esposem
·
Published
2025-10-09
·
Updated
2025-10-09
·
CVE-2025-61779
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Confidential Containers Trustee versions prior to 0.15.0
Description
The Confidential Containers Trustee project, which includes tools for attesting confidential guests and providing secrets, had a flaw in the attestation-policy endpoint. Before version 0.15.0, the endpoint did not verify the authentication of the
kbs-client making the request, allowing any client to modify the attestation policy. The kbs-client could submit requests to the /attestation-policy API endpoint without proper authentication.Recommendations
Update to version 0.15.0 or later.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Confidential Containers Trustee