SCA: security update for github.com/evervault/evervault-go (GHSA-88h9-77c7-p6w4)

medium Tenable Self-Hosted Container Security Plugin ID 436031

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Evervault is a payment security solution. A vulnerability was identified in the `evervault-go` SDK’s
attestation verification logic in versions of `evervault-go` prior to 1.3.2 that may allow incomplete
documents to pass validation. This may cause the client to trust an enclave operator that does not meet
expected integrity guarantees. The exploitability of this issue is limited in Evervault-hosted
environments as an attacker would require the pre-requisite ability to serve requests from specific
evervault domain names, following from our ACME challenge based TLS certificate acquisition pipeline. The
vulnerability primarily affects applications which only check PCR8. Though the efficacy is also reduced
for applications that check all PCR values, the impact is largely remediated by checking PCR 0, 1 and 2.
The identified issue has been addressed in version 1.3.2 by validating attestation documents before
storing in the cache, and replacing the naive equality checks with a new SatisfiedBy check. Those who
useevervault-go to attest Enclaves that are hosted outside of Evervault environments and cannot upgrade
have two possible workarounds available. Modify the application logic to fail verification if PCR8 is not
explicitly present and non-empty and/or add custom pre-validation to reject documents that omit any
required PCRs. (CVE-2025-64186)

See Also

https://github.com/advisories/GHSA-88h9-77c7-p6w4

Plugin Details

Severity: Medium

ID: 436031

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 11/13/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.69

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2025-64186

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/12/2025

Vulnerability Publication Date: 11/12/2025

Reference Information

CVE: CVE-2025-64186

cwe: CWE-347