CVE-2024-8287

high

Description

Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.

References

https://www.cve.org/CVERecord?id=CVE-2024-8287

https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141

https://bugs.launchpad.net/anbox-cloud/+bug/2077570

Details

Source: Mitre, NVD

Published: 2024-09-18

Updated: 2024-09-24

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High