GHSA-r2h5-3hgw-8j34

Suggest an improvement
Source
https://github.com/advisories/GHSA-r2h5-3hgw-8j34
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r2h5-3hgw-8j34/GHSA-r2h5-3hgw-8j34.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r2h5-3hgw-8j34
Aliases
Published
2023-02-17T20:51:24Z
Modified
2024-08-20T20:59:06.947612Z
Summary
User data in TPM attestation vulnerable to MITM
Details

Impact

Attestation user data (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster.

Patches

The issue has been patched in v2.5.2.

Workarounds

none

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-17T20:51:24Z"
}
References

Affected packages

Go / github.com/edgelesssys/constellation/v2

Package

Name
github.com/edgelesssys/constellation/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/edgelesssys/constellation/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.2

Database specific

{
    "last_known_affected_version_range": "<= 2.5.1"
}