Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-2307

Опубликовано: 19 мар. 2024
Источник: redhat
CVSS3: 6.1
EPSS Низкий

Описание

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.

Отчет

The race condition in osbuild-composer that leads to unintentional GPG verification disabling for third-party repositories introduces a moderate severity risk. While the issue can potentially allow the installation of untrusted code into built images, its impact is limited to scenarios where both a third-party repository with GPG-checked RPMs and another repository with GPG checking disabled are concurrently added. Additionally, the insecure setting winning due to the race condition further narrows the circumstances under which the vulnerability can be exploited. However, the potential for bypassing GPG verification in specific configurations poses a tangible risk to the integrity of built images, justifying its classification as a moderate severity issue.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-362->CWE-347
https://bugzilla.redhat.com/show_bug.cgi?id=2268513osbuild-composer: race condition may disable GPG verification for package repositories

EPSS

Процентиль: 0%
0.00008
Низкий

6.1 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-2307

CVSS3: 6.1
nvd
больше 1 года назад

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.

rocky логотип

RLSA-2024:2961

rocky
около 1 года назад

Moderate: Image builder components bug fix, enhancement and security update

github логотип

GHSA-64jx-m9pq-gr8c

CVSS3: 6.1
github
больше 1 года назад

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.

oracle-oval логотип

ELSA-2024-2961

oracle-oval
около 1 года назад

ELSA-2024-2961: Image builder components bug fix, enhancement and security update (MODERATE)

oracle-oval логотип

ELSA-2024-2119

oracle-oval
больше 1 года назад

ELSA-2024-2119: Image builder components bug fix, enhancement and security update (MODERATE)

EPSS

Процентиль: 0%
0.00008
Низкий

6.1 Medium

CVSS3