Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02dzVmLTV3Z3ItcWpnNc4AAyA1
Constellation allows Emergency shell access during initramfs boot phase
Impact
An active attacker could let the boot fail on purpose in the initramfs, dropping the serial console into an emergency shell. This gives attackers with access to the serial console full control over the VM.
Patches
The issue has been patched in v2.6.0.
Workarounds
none
Permalink: https://github.com/advisories/GHSA-6w5f-5wgr-qjg5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02dzVmLTV3Z3ItcWpnNc4AAyA1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
Identifiers: GHSA-6w5f-5wgr-qjg5
References:
- https://github.com/edgelesssys/constellation/security/advisories/GHSA-6w5f-5wgr-qjg5
- https://github.com/edgelesssys/constellation/releases/tag/v2.6.0
- https://github.com/advisories/GHSA-6w5f-5wgr-qjg5
Blast Radius: 0.0
Affected Packages
go:github.com/edgelesssys/constellation/v2
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: < 2.6.0
Fixed in: 2.6.0
All affected versions: 2.0.0, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3
All unaffected versions: 2.6.0, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.15.0, 2.15.1, 2.16.0, 2.16.1, 2.16.2