Refine your search
1 vulnerability found for Anbox Cloud by Canonical Ltd.
CVE-2024-8287 (GCVE-0-2024-8287)
Vulnerability from cvelistv5
Published
2024-09-18 18:35
Modified
2024-09-19 20:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical Ltd. | Anbox Cloud |
Version: 1.17.0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:canonical:anbox_cloud:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "anbox_cloud",
"vendor": "canonical",
"versions": [
{
"lessThan": "1.23.1",
"status": "affected",
"version": "1.17.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8287",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-19T20:23:48.348893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-19T20:25:24.637Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"packageName": "anbox",
"platforms": [
"Linux"
],
"product": "Anbox Cloud",
"vendor": "Canonical Ltd.",
"versions": [
{
"lessThan": "1.23.1",
"status": "affected",
"version": "1.17.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Simon Fels"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Simon Fels"
}
],
"descriptions": [
{
"lang": "en",
"value": "Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T18:52:28.961Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141"
},
{
"tags": [
"issue-tracking"
],
"url": "https://bugs.launchpad.net/anbox-cloud/+bug/2077570"
},
{
"tags": [
"issue-tracking"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8287"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-8287",
"datePublished": "2024-09-18T18:35:25.803Z",
"dateReserved": "2024-08-28T19:43:49.942Z",
"dateUpdated": "2024-09-19T20:25:24.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}