GHSA-4c4v-42hc-72p6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4c4v-42hc-72p6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-4c4v-42hc-72p6/GHSA-4c4v-42hc-72p6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4c4v-42hc-72p6
- Aliases
-
- CVE-2023-43633
- GO-2026-4428
- Published
- 2026-02-04T21:36:42Z
- Modified
- 2026-02-05T04:11:06.170542Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N CVSS Calculator
- Summary
- EVE's Debug Functions Unlockable Without Triggering Measured Boot
- Details
-
Impact
On boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk.
Patches
Fixed in 10.1.0 and 9.4.3-lts
Workarounds
None
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-522", "CWE-922" ], "github_reviewed_at": "2026-02-04T21:36:42Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/lf-edge/eve/security/advisories/GHSA-4c4v-42hc-72p6
- https://nvd.nist.gov/vuln/detail/CVE-2023-43633
- https://github.com/lf-edge/eve/commit/5fef4d92e75838cc78010edaed5247dfbdae1889
- https://github.com/lf-edge/eve/commit/aa3501d6c57206ced222c33aea15a9169d629141
- https://asrg.io/security-advisories/cve-2023-43633
- https://asrg.io/security-advisories/debug-functions-unlockable-without-triggering-measured-boot
- https://github.com/lf-edge/eve
Affected packages
Go / github.com/lf-edge/eve
Package
- Name
- github.com/lf-edge/eve
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/lf-edge/eve