GHSA-x5r5-2qrx-rqj8

Source

https://github.com/advisories/GHSA-x5r5-2qrx-rqj8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-x5r5-2qrx-rqj8/GHSA-x5r5-2qrx-rqj8.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-x5r5-2qrx-rqj8

Aliases

GO-2024-2583

Published

2024-02-27T19:02:15Z

Modified

2024-03-04T17:57:01.148429Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Transparent TLS may not be applied to Marbles with certain manifest configurations

Details

Transparent TLS (TTLS) is a MarbleRun feature that wraps plain TCP connections between Marbles in TLS. In the manifest, a user defines the connections that should be considered.

Impact

If a Marble is configured for TTLS, but doesn't have an environment variable defined in its parameters, TTLS is not applied. The traffic will not be encrypted.

MarbleRun deployments that don't use TTLS (which is only available with EGo Marbles) are not affected.

Patches

The issue has been patched in v1.4.1.

Workarounds

Make sure that all Marbles that use TTLS have an environment variable defined in their parameters.

References

For a description of TTLS, see https://docs.edgeless.systems/marblerun/features/transparent-TLS See the updated section on TTLS configuration in the manifest: https://docs.edgeless.systems/marblerun/workflows/define-manifest#tls

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-27T19:02:15Z"
}

References

Affected packages

Go / github.com/edgelesssys/marblerun

Package

Name: github.com/edgelesssys/marblerun; View open source insights on deps.dev
Purl: pkg:golang/github.com/edgelesssys/marblerun

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.1