PT-2022-10636 · Nbdkit+5 · Nbdkit+5

Eric Blake

Published

2022-03-02

Updated

2024-06-15

CVE-2021-3716

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions nbdkit (affected versions not specified)

Description A flaw was found in nbdkit due to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD OPT STRUCTURED REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-924

Related Identifiers

ALSA-2022:1759

CESA-2022_1759

CVE-2021-3716

OPENSUSE-SU-2024:11078-1

RHSA-2022:0397

RHSA-2022:1759

RHSA-2022_1759

RLSA-2022:1759

Affected Products

Almalinux

Centos

Debian

Red Hat

Rocky Linux

Nbdkit

PT-2022-10636 · Nbdkit+5 · Nbdkit+5

CVE-2021-3716

Weakness Enumeration

Related Identifiers

Affected Products

References · 177