Home > Vulnerability Database > WS-2023-0044

Mend.io Vulnerability Database

WS-2023-0044

Good to know:

Date: February 17, 2023

User data in TPM attestation vulnerable to MITM. Attestation user data (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster.

Language: Go

Severity Score

5.4

Related Resources (2)

Url: https://github.com/edgelesssys/constellation/commit/dfae30c9fa2ab848074c96278ffcd8d63671efa2

Url: https://www.mend.io/vulnerability-database/WS-2023-0044

Severity Score

5.4

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

Upgrade Version

Upgrade to version v2.5.2

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2023-0044

Good to know:

Date: February 17, 2023

Language: Go

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?