PT-2024-2653 · Unknown+4 · Osbuild-Composer+4

Robb Gatica

Published

2024-03-19

Updated

2024-08-20

CVE-2024-2307

CVSS v2.0

6.4

Medium

Vector

AV:L/AC:L/Au:S/C:C/I:C/A:P

Name of the Vulnerable Software and Affected Versions osbuild-composer (affected versions not specified)

Description A flaw in osbuild-composer can trigger a condition that disables GPG verification for package repositories. This can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built. The issue is related to incorrect cryptographic signature verification.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Verification of Cryptographic Signature

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347CWE-362

Related Identifiers

ALSA-2024:2119

ALSA-2024:2961

BDU:2024-02720

CESA-2024_2961

CVE-2024-2307

INFSA-2024_2119

INFSA-2024_2961

RHSA-2024:2119

RHSA-2024:2961

RHSA-2024_2119

RHSA-2024_2961

RLSA-2024:2961

Affected Products

Almalinux

Centos

Red Hat

Rocky Linux

Osbuild-Composer

PT-2024-2653 · Unknown+4 · Osbuild-Composer+4

CVE-2024-2307

Weakness Enumeration

Related Identifiers

Affected Products

References · 18