GHSA-x5r5-2qrx-rqj8 – github.com/edgelesssys/marblerun

Package

Manager: go
Name: github.com/edgelesssys/marblerun
Vulnerable Version: >=0 <1.4.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Transparent TLS may not be applied to Marbles with certain manifest configurations Transparent TLS (TTLS) is a MarbleRun feature that wraps plain TCP connections between Marbles in TLS. In the manifest, a user defines the connections that should be considered. ### Impact If a Marble is configured for TTLS, but doesn't have an environment variable defined in its parameters, TTLS is not applied. The traffic will not be encrypted. MarbleRun deployments that don't use TTLS (which is only available with EGo Marbles) are not affected. ### Patches The issue has been patched in [`v1.4.1`](https://github.com/edgelesssys/marblerun/releases/tag/v1.4.1). ### Workarounds Make sure that all Marbles that use TTLS have an environment variable defined in their parameters. ### References For a description of TTLS, see <https://docs.edgeless.systems/marblerun/features/transparent-TLS> See the updated section on TTLS configuration in the manifest: <https://docs.edgeless.systems/marblerun/workflows/define-manifest#tls>

Metadata

Created: 2024-02-27T19:02:15Z
Modified: 2024-02-27T19:02:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-x5r5-2qrx-rqj8/GHSA-x5r5-2qrx-rqj8.json
CWE IDs: []
Alternative ID: N/A
Finding: F332
Auto approve: 1