GHSA-j3rq-4xjw-xg63: 
vulnerability analysis and mitigation

A high-severity vulnerability (GHSA-j3rq-4xjw-xg63) was discovered in the Go package github.com/edgelesssys/marblerun affecting versions prior to 1.4.0. The vulnerability was disclosed and patched on December 4, 2023. The issue affects CLI commands in the MarbleRun package, specifically those issued to a Coordinator after the Manifest has been set (GitHub Advisory).

The vulnerability is classified as CWE-300 and has been assigned a high severity rating. The technical issue involves CLI commands being susceptible to Man-in-the-Middle (MITM) attacks when interacting with a MarbleRun deployment after the manifest has been set. The vulnerability allows for potential redirection of commands to another MarbleRun Coordinator instance that runs the same binary but potentially with a different manifest (GitHub Advisory).

The vulnerability enables potential attackers to redirect CLI commands to a different MarbleRun Coordinator instance running the same binary but with a potentially different manifest. This could lead to unauthorized access and manipulation of the system's configuration (GitHub Advisory).

The vulnerability has been patched in version 1.4.0 of the package. As a workaround, users can directly use the REST API of the Coordinator and manually verify and pin the certificate to a set Manifest. The patch includes pinning the Coordinator root certificate for all commands interacting with the Coordinator after marblerun manifest set, with the certificate being saved to ~/.config/marblerun/coordinator-cert.pem by default (GitHub Release, GitHub Advisory).