GMS-2023-5514: Go package github.com/edgelesssys/marblerun CLI commands susceptible to MITM attacks

December 4, 2023

Impact

Any CLI command issued to a Coordinator after the Manifest has been set, is susceptible to be redirected to another MarbleRun Coordinator instance, which runs the same binary, but potentially a different manifest.

Patches

The issue has been patched in v1.4.0

Workarounds

Directly using the REST API of the Coordinator and manually verifying and pinning the certificate to a set Manifest avoids the issue.

References

github.com/advisories/GHSA-j3rq-4xjw-xg63
github.com/edgelesssys/marblerun/releases/tag/v1.4.0
github.com/edgelesssys/marblerun/security/advisories/GHSA-j3rq-4xjw-xg63

Detect and mitigate GMS-2023-5514 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →