A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Wed, 06 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-30T15:45:03.184Z

Reserved: 2024-03-07T21:19:24.246Z

Link: CVE-2024-2307

cve-icon Vulnrichment

Updated: 2024-08-01T19:11:52.858Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-19T17:15:12.520

Modified: 2024-11-21T09:09:28.410

Link: CVE-2024-2307

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-03-19T00:00:00Z

Links: CVE-2024-2307 - Bugzilla

cve-icon OpenCVE Enrichment

No data.