{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "1.0.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "4d9fe474af2d7fca69524ca324635d40b9fd6af8" } ], "repo": "https://github.com/tillitis/tkey-device-signer", "type": "GIT" } ] } ], "aliases": [ "GHSA-frqc-62hv-379p" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-125", "CWE-367" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32482.json" }, "details": "The Tillitis TKey signer device application is an ed25519 signing tool. A vulnerability has been found that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client application and to touch the TKey. No secret is disclosed. All client applications integrating tkey-device-signer should upgrade to version 1.0.0 to receive a fix. No known workarounds are available.", "id": "CVE-2024-32482", "modified": "2026-03-13T21:50:47.336667767Z", "published": "2024-04-23T17:38:09.614Z", "references": [ { "type": "WEB", "url": "https://bugbounty.tillitis.se/security-bulletins/tillitis-security-bulletin-240115-1" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32482.json" }, { "type": "ADVISORY", "url": "https://github.com/tillitis/tkey-device-signer/security/advisories/GHSA-frqc-62hv-379p" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32482" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Tillitis TKey Signer possible RAM disclosure vulnerability" }