Products
Anbox Management Service
- 1.17.0 - 1.23.0
Source
security@ubuntu.com
Tags
CVE-2024-8287 details
Published : Sept. 18, 2024, 7:15 p.m.
Last Modified : Sept. 18, 2024, 7:15 p.m.
Last Modified : Sept. 18, 2024, 7:15 p.m.
Description
Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7.5 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-295 | Improper Certificate Validation | The product does not validate, or incorrectly validates, a certificate. |
CVSS Data
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
7.5
Exploitability Score
1.6
Impact Score
5.9
Base Severity
HIGH
Vector String : CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References
| URL | Source |
|---|---|
| https://bugs.launchpad.net/anbox-cloud/+bug/2077570 | security@ubuntu.com |
| https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141 | security@ubuntu.com |
| https://www.cve.org/CVERecord?id=CVE-2024-8287 | security@ubuntu.com |
This website uses the NVD API, but is not approved or certified by it.