CVE-2024-8287

Sept. 24, 2024, 3:52 p.m.

7.5
High

Description

Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.

Product(s) Impacted

Vendor Product Versions
Canonical
  • Anbox Cloud
  • *

Weaknesses

CWE-295
Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

*CPE(s)

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a canonical anbox_cloud / / / / / / / /

References

https://bugs.launchpad.net/anbox-cloud/+bug/2077570
https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141
https://www.cve.org/CVERecord?id=CVE-2024-8287

Tags

security@ubuntu.com
CWE-295
2024-09-18
CVE-2024-8287

CVSS Score

7.5 / 10

CVSS Data

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: Sept. 18, 2024, 7:15 p.m.
  • Last Modified: Sept. 24, 2024, 3:52 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@ubuntu.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.