An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14NXI1LTJxcngtcnFqOM4AA5ik

Transparent TLS may not be applied to Marbles with certain manifest configurations

Transparent TLS (TTLS) is a MarbleRun feature that wraps plain TCP connections between Marbles in TLS.
In the manifest, a user defines the connections that should be considered.


If a Marble is configured for TTLS, but doesn't have an environment variable defined in its parameters, TTLS is not applied.
The traffic will not be encrypted.

MarbleRun deployments that don't use TTLS (which is only available with EGo Marbles) are not affected.


The issue has been patched in v1.4.1.


Make sure that all Marbles that use TTLS have an environment variable defined in their parameters.


For a description of TTLS, see
See the updated section on TTLS configuration in the manifest:

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 months ago
Updated: about 2 months ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-x5r5-2qrx-rqj8
References: Repository:
Blast Radius: 5.5

Affected Packages
Dependent packages: 6
Dependent repositories: 4
Affected Version Ranges: < 1.4.1
Fixed in: 1.4.1
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0
All unaffected versions: 1.4.1