CVE-2024-2307

Published: Mar 19, 2024Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L

Exploitability: 0.6 / Impact: 5.5

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (8)

https://access.redhat.com/errata/RHSA-2024:2119

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2024:2961

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2024-2307

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2268513

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2024:2119

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2024:2961

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/security/cve/CVE-2024-2307

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=2268513

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.