Improper Authorization Affecting github.com/edgelesssys/marblerun/cli/internal/cmd package, versions <1.7.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Improper Authorization vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-GOLANG-GITHUBCOMEDGELESSSYSMARBLERUNCLIINTERNALCMD-8706115
- published10 Feb 2025
- disclosed4 Feb 2025
- creditUnknown
Introduced: 4 Feb 2025
CVE NOT AVAILABLE CWE-285 (opens in a new tab)How to fix?
Upgrade github.com/edgelesssys/marblerun/cli/internal/cmd to version 1.7.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authorization due to missing validations of the key provided by a party with access to one of the recovery keys defined in the manifest. This allows an attacker to manually craft a sealed state using their own recovery keys, and a manifest that does not match the rest of the state.
Note: This issue does not affect the following:
Secrets and state of the legitimate Coordinator instances.
Integrity of workloads.
Certificates chaining back to the legitimate Coordinator root certificate.