Man-in-the-middle (MITM)

2021-08-2202:36:23

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

3.1 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:N/I:N/A:P

JSON

nbdkit:sid is vulnerable to man-in-the-middle. A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session.

CPENameOperatorVersion
nbdkit:sideq1.22.3-1.1+b1
nbdkiteq1.24.0__4.module_el8.6.0+1087+b42c8331
nbdkiteq1.4.2__4.module+el8.0.0+3273+6bc1ee54
nbdkiteq1.12.5__1.module+el8.1.0+3868+35f94834
nbdkiteq1.16.2__4.module_el8.5.0+746+bbd5d70c
nbdkiteq1.4.2__4.module+el8.0.0.z+3438+2851622e
nbdkiteq1.24.0__3.module+el8.5.0+13900+a08c0464
nbdkiteq1.16.2__2.module+el8.2.0+5664+dd92f997
nbdkiteq1.16.2__4.el8
nbdkiteq1.4.2__5.module_el8.0.0+189+f9babebb

Name	Operator	Version
nbdkit:sid	eq	1.22.3-1.1+b1
nbdkit	eq	1.24.0__4.module_el8.6.0+1087+b42c8331
nbdkit	eq	1.4.2__4.module+el8.0.0+3273+6bc1ee54
nbdkit	eq	1.12.5__1.module+el8.1.0+3868+35f94834
nbdkit	eq	1.16.2__4.module_el8.5.0+746+bbd5d70c
nbdkit	eq	1.4.2__4.module+el8.0.0.z+3438+2851622e
nbdkit	eq	1.24.0__3.module+el8.5.0+13900+a08c0464
nbdkit	eq	1.16.2__2.module+el8.2.0+5664+dd92f997
nbdkit	eq	1.16.2__4.el8
nbdkit	eq	1.4.2__5.module_el8.0.0+189+f9babebb