7.5

CVE-2024-8287

EPSS 0.23%
Veröffentlicht 18.09.2024 19:15:41
Zuletzt bearbeitet 24.09.2024 15:52:38
Quelle security@ubuntu.com
CVE-Watchlists
Login
Unerledigt
Login

Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Canonical ≫ Anbox Cloud Version >= 1.17.0 < 1.23.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.457

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
security@ubuntu.com	7.5	1.6	5.9	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://bugs.launchpad.net/anbox-cloud/+bug/2077570

Vendor Advisory

https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141

Release Notes

https://www.cve.org/CVERecord?id=CVE-2024-8287

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-8287

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8287

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8287

EUVD