Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qM3JxLTR4ancteGc2M84AA3hy
Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks
Impact
Any CLI command issued to a Coordinator after the Manifest has been set, is susceptible to be redirected to another MarbleRun Coordinator instance, which runs the same binary, but potentially a different manifest.
Patches
The issue has been patched in v1.4.0
Workarounds
Directly using the REST API of the Coordinator and manually verifying and pinning the certificate to a set Manifest avoids the issue.
Permalink: https://github.com/advisories/GHSA-j3rq-4xjw-xg63JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qM3JxLTR4ancteGc2M84AA3hy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 months ago
Identifiers: GHSA-j3rq-4xjw-xg63
References:
- https://github.com/edgelesssys/marblerun/security/advisories/GHSA-j3rq-4xjw-xg63
- https://github.com/edgelesssys/marblerun/releases/tag/v1.4.0
- https://github.com/advisories/GHSA-j3rq-4xjw-xg63
Blast Radius: 0.0
Affected Packages
go:github.com/edgelesssys/marblerun
Dependent packages: 6Dependent repositories: 4
Downloads:
Affected Version Ranges: < 1.4.0
Fixed in: 1.4.0
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 1.0.0, 1.1.0, 1.2.0, 1.3.0
All unaffected versions: 1.4.0, 1.4.1