Lucene search

[email protected]NVD:CVE-2024-28872

HistoryJul 11, 2024 - 3:15 p.m.

CVE-2024-28872

2024-07-1115:15:11

CWE-295

[email protected]

web.nvd.nist.gov

tls certificate validation

stork server

stork agent

malicious commands

monitored services

data loss

denial of service

vulnerability

stork management tool

affected version restrictions

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.4%

JSON

The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are potentially affected.
This issue affects Stork versions 0.15.0 through 1.15.0.

Affected configurations

Nvd

Node

iscstorkRange0.15.0–1.15.1

VendorProductVersionCPE
iscstork*cpe:2.3:a:isc:stork:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
isc	stork	*	cpe:2.3:a:isc:stork::::::::

References

kb.isc.org/docs/cve-2024-28872

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

39.4%

JSON

Related for NVD:CVE-2024-28872

cvelist1 cve1 vulnrichment1