CVE-2023-43633

MEDIUM5.9EPSS 0.02%

EVE's Debug Functions Unlockable Without Triggering Measured Boot

Published: 2/4/2026Modified: 2/5/2026

Also known as:GHSA-4c4v-42hc-72p6GO-2026-4428

Description

### Impact On boot, Pillar checks for /config/GlobalConfig/global.json and overrides system configuration if present. This allows enabling debug functions like SSH (debug.enable.ssh), USB keyboard (debug.enable.usb), and VNC access (app.allow.vnc) without triggering the measured boot. Thus, a user with physical access can take out the disk and modify the content of this file in the /config partition and then re-insert the disk. ### Patches Fixed in 10.1.0 and 9.4.3-lts ### Workarounds None

Affected packages (2)

Go/github.com/lf-edge/evefrom 0, < 0.0.0-20220708121648-5fef4d92e758
Go/github.com/lf-edge/evefrom 0, < 0.0.0-20220708121648-5fef4d92e758

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

References (7)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-43633
PATCHhttps://github.com/lf-edge/eve
WEBhttps://asrg.io/security-advisories/cve-2023-43633
WEBhttps://asrg.io/security-advisories/debug-functions-unlockable-without-triggering-measured-boot
WEBhttps://github.com/lf-edge/eve/commit/5fef4d92e75838cc78010edaed5247dfbdae1889
WEBhttps://github.com/lf-edge/eve/commit/aa3501d6c57206ced222c33aea15a9169d629141
WEBhttps://github.com/lf-edge/eve/security/advisories/GHSA-4c4v-42hc-72p6