Skip to content

Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks

High severity GitHub Reviewed Published Dec 4, 2023 in edgelesssys/marblerun • Updated Dec 4, 2023

Package

gomod github.com/edgelesssys/marblerun (Go)

Affected versions

< 1.4.0

Patched versions

1.4.0

Description

Impact

Any CLI command issued to a Coordinator after the Manifest has been set, is susceptible to be redirected to another MarbleRun Coordinator instance, which runs the same binary, but potentially a different manifest.

Patches

The issue has been patched in v1.4.0

Workarounds

Directly using the REST API of the Coordinator and manually verifying and pinning the certificate to a set Manifest avoids the issue.

References

@daniel-weisse daniel-weisse published to edgelesssys/marblerun Dec 4, 2023
Published to the GitHub Advisory Database Dec 4, 2023
Reviewed Dec 4, 2023
Last updated Dec 4, 2023

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-j3rq-4xjw-xg63

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.