GHSA-j3rq-4xjw-xg63

Suggest an improvement
Source
https://github.com/advisories/GHSA-j3rq-4xjw-xg63
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-j3rq-4xjw-xg63/GHSA-j3rq-4xjw-xg63.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j3rq-4xjw-xg63
Aliases
Published
2023-12-04T23:13:42Z
Modified
2024-08-21T14:57:43.653467Z
Summary
Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks
Details

Impact

Any CLI command issued to a Coordinator after the Manifest has been set, is susceptible to be redirected to another MarbleRun Coordinator instance, which runs the same binary, but potentially a different manifest.

Patches

The issue has been patched in v1.4.0

Workarounds

Directly using the REST API of the Coordinator and manually verifying and pinning the certificate to a set Manifest avoids the issue.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-300"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-04T23:13:42Z"
}
References

Affected packages

Go / github.com/edgelesssys/marblerun

Package

Name
github.com/edgelesssys/marblerun
View open source insights on deps.dev
Purl
pkg:golang/github.com/edgelesssys/marblerun

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0