{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2553", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T00:39:08.049Z", "dateReserved": "2022-07-27T00:00:00", "datePublished": "2022-07-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster."}], "affected": [{"vendor": "n/a", "product": "Booth", "versions": [{"version": "Booth versions after v1.0-85-gda79b8b are vulnerable. Resolved in booth v1.0-263-g35bf0b7.", "status": "affected"}]}], "references": [{"url": "https://github.com/ClusterLabs/booth/commit/35bf0b7b048d715f671eb68974fb6b4af6528c67"}, {"name": "DSA-5194", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2022/dsa-5194"}, {"name": "FEDORA-2022-e0a87993b8", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4T4TTXAABVUCMPUL7XQ2PH5EYYOOQZY/"}, {"name": "FEDORA-2022-6744980220", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHDOFX7NQFH3UGZZA3SGW5SVMDDHIUVD/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-287", "cweId": "CWE-287"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T00:39:08.049Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/ClusterLabs/booth/commit/35bf0b7b048d715f671eb68974fb6b4af6528c67", "tags": ["x_transferred"]}, {"name": "DSA-5194", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5194"}, {"name": "FEDORA-2022-e0a87993b8", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4T4TTXAABVUCMPUL7XQ2PH5EYYOOQZY/"}, {"name": "FEDORA-2022-6744980220", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHDOFX7NQFH3UGZZA3SGW5SVMDDHIUVD/"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clusterlabs:booth:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF42404A-28D1-45D0-BA18-B4BF9056735D", "versionEndIncluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster."}, {"lang": "es", "value": "La directiva authfile en el archivo de configuraci\u00f3n de booth es ignorada, impidiendo el uso de la autenticaci\u00f3n en las comunicaciones de nodo a nodo. Como resultando, los nodos que no presentan la clave de autenticaci\u00f3n correcta no son impedidos de comunicarse con otros nodos en el cluster"}], "id": "CVE-2022-2553", "lastModified": "2023-11-07T03:46:39.867", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-28T15:15:07.663", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ClusterLabs/booth/commit/35bf0b7b048d715f671eb68974fb6b4af6528c67"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4T4TTXAABVUCMPUL7XQ2PH5EYYOOQZY/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHDOFX7NQFH3UGZZA3SGW5SVMDDHIUVD/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5194"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6439", "cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability", "package": "booth-0:1.0-199.1.ac1d34c.git.el8_6.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-09-13T00:00:00Z"}, {"advisory": "RHSA-2022:6250", "cpe": "cpe:/a:redhat:rhel_eus:8.4::highavailability", "package": "booth-0:1.0-199.1.ac1d34c.git.el8_4.1", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-08-30T00:00:00Z"}, {"advisory": "RHSA-2022:6580", "cpe": "cpe:/a:redhat:enterprise_linux:9::highavailability", "package": "booth-0:1.0-251.3.bfb2f92.git.el9_0.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-09-20T00:00:00Z"}], "bugzilla": {"description": "booth: authfile directive in booth config file is completely ignored.", "id": "2109251", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2109251"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-287", "details": ["The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster.", "A flaw was found in booth in the way it handles the authfile directive in configuration files, which causes authentication to be skipped between nodes. As a result, an attacker-controlled node that does not have the correct authentication key does not prevent communication with other nodes in the cluster."], "name": "CVE-2022-2553", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "booth", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2022-07-01T13:20:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-2553\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2553"], "threat_severity": "Moderate", "upstream_fix": "booth v1.0-263-g35bf0b7"}