The vulnerability of the OSBuild Composer service, related to improper verification of the cryptographic signature, allows a hacker to execute a “man-in-the-middle” attack.

🗓️ 08 Apr 2024 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 4 Views

OSBuild Composer vulnerability due to improper cryptographic signature verification enables MITM attacks.

Reporter	Title	Published	Views	Family All 35
Tenable Nessus	Alibaba Cloud Linux 3 : 0144: osbuild-composer bug fix, enhancement and (ALINUX3-SA-2024:0144)	14 May 202500:00	–	nessus
Tenable Nessus	CentOS 8 : Image builder components bug fix, enhancement and (CESA-2024:2961)	22 May 202400:00	–	nessus
Tenable Nessus	MiracleLinux 9 : Image builder components bug fix, enhancement and (AXSA:2024-8104:01)	20 Jan 202600:00	–	nessus
Tenable Nessus	MiracleLinux 8 : osbuild-composer-100-1.el8.ML.1, osbuild-110-1.el8.ML.1 (AXSA:2024-8384:02)	20 Jan 202600:00	–	nessus
Tenable Nessus	MiracleLinux 8 : osbuild-composer-101-1.el8.ML.1 (AXSA:2024-8449:02)	20 Jan 202600:00	–	nessus
Tenable Nessus	Oracle Linux 9 : Image / builder / components (ELSA-2024-2119)	6 May 202400:00	–	nessus
Tenable Nessus	Oracle Linux 8 : Image / builder / components (ELSA-2024-2961)	28 May 202400:00	–	nessus
Tenable Nessus	osbuild-composer < 94 Race Condition	22 Mar 202400:00	–	nessus
Tenable Nessus	RHEL 9 : Image builder components (RHSA-2024:2119)	30 Apr 202400:00	–	nessus
Tenable Nessus	RHEL 8 : Image builder components (RHSA-2024:2961)	23 May 202400:00	–	nessus

Vulners

Node

red_hat osbuild_composerRange<94

Source	Link
github	www.github.com/osbuild/osbuild-composer/commit/b786178077a23bc6aca9f65ee58651bd4dfb1244
access	www.access.redhat.com/security/cve/CVE-2024-2307
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
web	www.web.nvd.nist.gov/view/vuln/detail

08 Apr 2024 00:00Current

6.4Medium risk

Vulners AI Score6.4

CVSS 36.1

CVSS 26.4

EPSS0.00188

osbuild composer improper verification cryptographic signature man in middle