CVE-2024-6219

Name of the Vulnerable Software and Affected Versions: LXD versions prior to 5.21.1

Description: A restricted certificate could be added to the trust store with its restrictions not honoured in LXD's PKI mode. This occurs when the core.trust ca certificates configuration option is disabled, causing restrictions applied to a certificate to be ignored due to the presence of a server.ca file in LXD DIR. The issue allows a client with a restricted certificate to have full access to LXD.

Recommendations: For versions prior to 5.21.1, update to version 5.21.1 or later to resolve the issue. As a temporary workaround, consider disabling the PKI mode or enabling the core.trust ca certificates configuration option to allow for passwordless PKI with CRL revocation. Restrict access to the trust store to minimize the risk of exploitation. Avoid adding restricted certificates to the trust store until the issue is resolved.