GHSA-r2h5-3hgw-8j34

Source

https://github.com/advisories/GHSA-r2h5-3hgw-8j34

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r2h5-3hgw-8j34/GHSA-r2h5-3hgw-8j34.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r2h5-3hgw-8j34

Aliases

GO-2023-1583

Published

2023-02-17T20:51:24Z

Modified

2024-08-20T20:59:06.947612Z

Summary

User data in TPM attestation vulnerable to MITM

Details

Impact

Attestation user data (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster.

Patches

The issue has been patched in v2.5.2.

Workarounds

none

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-17T20:51:24Z"
}

References

Affected packages

Go / github.com/edgelesssys/constellation/v2

Package

Name: github.com/edgelesssys/constellation/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/edgelesssys/constellation/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.2

Database specific

{
    "last_known_affected_version_range": "<= 2.5.1"
}