GHSA-3wxm-m9m4-cprj: 
vulnerability analysis and mitigation

A moderate severity vulnerability was identified in the google/exposure-notifications-server package affecting versions < 0.18.3 and >= 0.19.0, < 0.19.2. The vulnerability was discovered and published on April 1, 2021, with the identifier GHSA-3wxm-m9m4-cprj. The issue specifically affects installations using the export-importer service (GitHub Advisory).

The vulnerability stems from the export-importer service's assumption that servers it was importing from had properly embargoed keys for at least 2 hours after their expiry time. However, instances were discovered where servers did not properly embargo keys, potentially leading to keys being re-published before their expiration (GitHub Advisory).

The vulnerability could allow imported keys to be re-published before they have expired, potentially enabling replay attacks of RPIs (Rolling Proximity Identifiers). It's important to note that installations not using the export-importer services are not impacted by this vulnerability (GitHub Advisory).

The vulnerability has been patched in versions 0.18.3 and 0.19.2 and later. As a workaround, users should ensure that servers they are importing export zip files from are not publishing keys too early. For additional support, users can open an issue in the exposure-notifications-server repository or contact exposure-notifications-feedback@google.com (GitHub Advisory).