GHSA-6w5f-5wgr-qjg5 – github.com/edgelesssys/constellation/v2

Package

Manager: go
Name: github.com/edgelesssys/constellation/v2
Vulnerable Version: >=0 <2.6.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

Constellation allows Emergency shell access during initramfs boot phase ### Impact An active attacker could let the boot fail on purpose in the initramfs, dropping the serial console into an emergency shell. This gives attackers with access to the serial console full control over the VM. ### Patches The issue has been patched in [v2.6.0](https://github.com/edgelesssys/constellation/releases/tag/v2.6.0). ### Workarounds none

Metadata

Created: 2023-03-09T20:21:36Z
Modified: 2023-03-09T20:21:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-6w5f-5wgr-qjg5/GHSA-6w5f-5wgr-qjg5.json
CWE IDs: []
Alternative ID: N/A
Finding: F004
Auto approve: 1