{
  "schema_version": "1.4.0",
  "id": "GHSA-r2h5-3hgw-8j34",
  "modified": "2023-02-17T20:51:24Z",
  "published": "2023-02-17T20:51:24Z",
  "aliases": [],
  "summary": "User data in TPM attestation vulnerable to MITM",
  "details": "### Impact\nAttestation *user data* (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster.\n\n### Patches\nThe issue has been patched in [v2.5.2](https://github.com/edgelesssys/constellation/releases/tag/v2.5.2).\n\n### Workarounds\nnone",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgelesssys/constellation/v2"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.2"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "<= 2.5.1"
      }
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/constellation/security/advisories/GHSA-r2h5-3hgw-8j34"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgelesssys/constellation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/constellation/releases/tag/v2.5.2"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-17T20:51:24Z",
    "nvd_published_at": null
  }
}