{
  "schema_version": "1.4.0",
  "id": "GHSA-x5r5-2qrx-rqj8",
  "modified": "2024-02-27T19:02:15Z",
  "published": "2024-02-27T19:02:15Z",
  "aliases": [],
  "summary": "Transparent TLS may not be applied to Marbles with certain manifest configurations",
  "details": "Transparent TLS (TTLS) is a MarbleRun feature that wraps plain TCP connections between Marbles in TLS.\nIn the manifest, a user defines the connections that should be considered.\n\n### Impact\nIf a Marble is configured for TTLS, but doesn't have an environment variable defined in its parameters, TTLS is not applied.\nThe traffic will not be encrypted.\n\nMarbleRun deployments that don't use TTLS (which is only available with EGo Marbles) are not affected.\n\n### Patches\nThe issue has been patched in [`v1.4.1`](https://github.com/edgelesssys/marblerun/releases/tag/v1.4.1).\n\n### Workarounds\nMake sure that all Marbles that use TTLS have an environment variable defined in their parameters.\n\n### References\nFor a description of TTLS, see <https://docs.edgeless.systems/marblerun/features/transparent-TLS>\nSee the updated section on TTLS configuration in the manifest: <https://docs.edgeless.systems/marblerun/workflows/define-manifest#tls> \n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/edgelesssys/marblerun"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/marblerun/security/advisories/GHSA-x5r5-2qrx-rqj8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/marblerun/commit/0330ced092253613a07abe7b330ff6ac6fc6e9c6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/marblerun/commit/e5bcfe32883d22f3d87ffc9400f9fdb5ecbe3200"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/edgelesssys/marblerun"
    },
    {
      "type": "WEB",
      "url": "https://github.com/edgelesssys/marblerun/releases/tag/v1.4.1"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-27T19:02:15Z",
    "nvd_published_at": null
  }
}