Headline
GHSA-j3rq-4xjw-xg63: Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks
Impact
Any CLI command issued to a Coordinator after the Manifest has been set, is susceptible to be redirected to another MarbleRun Coordinator instance, which runs the same binary, but potentially a different manifest.
Patches
The issue has been patched in v1.4.0
Workarounds
Directly using the REST API of the Coordinator and manually verifying and pinning the certificate to a set Manifest avoids the issue.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-j3rq-4xjw-xg63
Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks
High severity GitHub Reviewed Published Dec 4, 2023 in edgelesssys/marblerun • Updated Dec 4, 2023
Package
gomod github.com/edgelesssys/marblerun (Go)
Affected versions
< 1.4.0
Description
Impact
Any CLI command issued to a Coordinator after the Manifest has been set, is susceptible to be redirected to another MarbleRun Coordinator instance, which runs the same binary, but potentially a different manifest.
Patches
The issue has been patched in v1.4.0
Workarounds
Directly using the REST API of the Coordinator and manually verifying and pinning the certificate to a set Manifest avoids the issue.
References
- GHSA-j3rq-4xjw-xg63
- https://github.com/edgelesssys/marblerun/releases/tag/v1.4.0
Published to the GitHub Advisory Database
Dec 4, 2023