Improper Authorization Affecting github.com/edgelesssys/marblerun/coordinator/server/v2 package, versions <1.7.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMEDGELESSSYSMARBLERUNCOORDINATORSERVERV2-8706118
- published10 Feb 2025
- disclosed4 Feb 2025
- creditUnknown
Introduced: 4 Feb 2025
New CVE NOT AVAILABLE CWE-285 (opens in a new tab)How to fix?
Upgrade github.com/edgelesssys/marblerun/coordinator/server/v2 to version 1.7.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Authorization due to missing validations of the key provided by a party with access to one of the recovery keys defined in the manifest. This allows an attacker to manually craft a sealed state using their own recovery keys, and a manifest that does not match the rest of the state.
Note: This issue does not affect the following:
Secrets and state of the legitimate Coordinator instances.
Integrity of workloads.
Certificates chaining back to the legitimate Coordinator root certificate.