CVE Vulnerabilities

CVE-2021-3716

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Published: Mar 02, 2022 | Modified: Nov 21, 2024
CVSS 3.x
3.1
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
CVSS 2.x
3.5 LOW
AV:N/AC:M/Au:S/C:N/I:N/A:P
RedHat/V2
RedHat/V3
3.5 LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM

A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.

Weakness

The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that the message was not modified during transmission.

Affected Software

Name Vendor Start Version End Version
Nbdkit Nbdkit_project 1.11.8 (including) 1.24.6 (excluding)
Nbdkit Nbdkit_project 1.25.1 (including) 1.26.5 (excluding)
Nbdkit Nbdkit_project 1.27.1 (including) 1.27.6 (excluding)
Advanced Virtualization for RHEL 8.5.0.Z RedHat virt:av-8050020220115095224.c5368500 *
Advanced Virtualization for RHEL 8.5.0.Z RedHat virt-devel:av-8050020220115095224.c5368500 *
Red Hat Enterprise Linux 8 RedHat virt-devel:rhel-8060020220408104655.d63f516d *
Red Hat Enterprise Linux 8 RedHat virt:rhel-8060020220408104655.d63f516d *
Nbdkit Ubuntu hirsute *
Nbdkit Ubuntu impish *
Nbdkit Ubuntu kinetic *
Nbdkit Ubuntu lunar *
Nbdkit Ubuntu mantic *
Nbdkit Ubuntu trusty *
Nbdkit Ubuntu xenial *

References