CVE-2024-8007

A flaw was found in the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2024-8007	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2305975	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*
	cpe:2.3:a:redhat:openstack_platform:17.1:::::::*

History

23 Aug 2024, 17:06

Type	Values Removed	Values Added
Summary		(es) Se encontró una falla en el director de Red Hat OpenStack Platform (RHOSP). Esta vulnerabilidad permite a un atacante implementar imágenes de contenedores potencialmente comprometidas deshabilitando la verificación de certificados TLS para espejos de registro, lo que podría habilitar un ataque de intermediario (MITM).
CPE		cpe:2.3:a:redhat:openstack_platform:16.1:::::::* cpe:2.3:a:redhat:openstack_platform:17.1:::::::* cpe:2.3:a:redhat:openstack_platform:16.2:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 8.1
First Time		Redhat Redhat openstack Platform
References	~~() https://access.redhat.com/security/cve/CVE-2024-8007 -~~	() https://access.redhat.com/security/cve/CVE-2024-8007 - Vendor Advisory
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2305975 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2305975 - Issue Tracking, Vendor Advisory

21 Aug 2024, 16:06

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-21 14:15

Updated : 2024-09-18 08:15

NVD link : CVE-2024-8007

Mitre link : CVE-2024-8007

CVE.ORG link : CVE-2024-8007

JSON object : View

Products Affected

redhat

openstack_platform

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2024-8007", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2024-08-21T14:15:09.753", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-8007", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305975", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el director de Red Hat OpenStack Platform (RHOSP). Esta vulnerabilidad permite a un atacante implementar im\u00e1genes de contenedores potencialmente comprometidas deshabilitando la verificaci\u00f3n de certificados TLS para espejos de registro, lo que podr\u00eda habilitar un ataque de intermediario (MITM)."}], "lastModified": "2024-09-18T08:15:06.990", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DCC81071-B46D-4F5D-AC25-B4A4CCC20C73"}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B3000D2-35DF-4A93-9FC0-1AD3AB8349B8"}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:17.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E315FC5C-FF19-43C9-A58A-CF2A5FF13824"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}