{
  "schema_version": "1.4.0",
  "id": "GHSA-3wxm-m9m4-cprj",
  "modified": "2021-05-20T20:24:22Z",
  "published": "2021-05-21T16:24:44Z",
  "aliases": [],
  "summary": "Import of incorrectly embargoed keys could cause early publication",
  "details": "### Impact\n\nIf your installation is using the `export-importer` service, there is potential impact.\nIf your installation is not importing keys via the `export-importer` services, your installation is not impacted.\n\nIn versions `0.19.1` and earlier, the `export-importer` service assumed that the server it was importing from had properly embargoed keys for at least 2 hours after their expiry time. There are now known instances of servers that did not properly embargo keys.\n\nThis could allow allow for imported keys to be re-published before they have expired, allowing for potential replay of RPIs.\n\n### Patches\n\nThis is patched in `v0.18.3` and all versions `0.19.2` and later.\n\n### Workarounds\n\nEnsure that the servers you are importing export zip files from are not publishing keys too early. \n\n### References\n\nn/a\n\n### For more information\n\nIf you have any questions or comments about this advisory\n* Open an issue in [exposure-notifications-server](https://github.com/google/exposure-notifications-server/)\n* Email us at [exposure-notifications-feedback@google.com](mailto:exposure-notifications-feedback@google.com)",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/google/exposure-notifications-server"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.3"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/google/exposure-notifications-server"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0.19.0"
            },
            {
              "fixed": "0.19.2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/google/exposure-notifications-server/security/advisories/GHSA-3wxm-m9m4-cprj"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-20T20:24:22Z",
    "nvd_published_at": null
  }
}