CVE Vulnerabilities

CVE-2024-8287

Improper Certificate Validation

Published: Sep 18, 2024 | Modified: Sep 24, 2024
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io minimus.io echohq.com

Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Anbox_cloud Canonical 1.17.0 (including) 1.23.1 (excluding)

Potential Mitigations

References