{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2307", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-03-07T21:19:24.246Z", "datePublished": "2024-03-19T16:16:31.902Z", "dateUpdated": "2024-11-23T00:26:19.359Z"}, "containers": {"cna": {"title": "Osbuild-composer: race condition may disable gpg verification for package repositories", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "94.0.0", "versionType": "semver"}], "packageName": "osbuild-composer", "collectionURL": "https://github.com/osbuild/osbuild-composer/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "osbuild-composer", "defaultStatus": "affected", "versions": [{"version": "0:101-1.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "osbuild-composer", "defaultStatus": "affected", "versions": [{"version": "0:101-1.el9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2119", "name": "RHSA-2024:2119", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2961", "name": "RHSA-2024:2961", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-2307", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268513", "name": "RHBZ#2268513", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-03-19T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-362->CWE-347: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') leads to Improper Verification of Cryptographic Signature", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-03-07T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-03-19T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T00:26:19.359Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2307", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T17:28:04.933623Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:13.526Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:52.858Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2119", "name": "RHSA-2024:2119", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2961", "name": "RHSA-2024:2961", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-2307", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268513", "name": "RHBZ#2268513", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2119", "name": "RHSA-2024:2119", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2961", "name": "RHSA-2024:2961", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-2307", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268513", "name": "RHBZ#2268513", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:11:52.858Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2307", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-19T17:28:04.933623Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:38.144Z"}}], "cna": {"title": "Osbuild-composer: race condition may disable gpg verification for package repositories", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "94.0.0", "versionType": "semver"}], "packageName": "osbuild-composer", "collectionURL": "https://github.com/osbuild/osbuild-composer/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:101-1.el8", "lessThan": "*", "versionType": "rpm"}], "packageName": "osbuild-composer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:101-1.el9", "lessThan": "*", "versionType": "rpm"}], "packageName": "osbuild-composer", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-03-07T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-03-19T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-03-19T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2119", "name": "RHSA-2024:2119", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2961", "name": "RHSA-2024:2961", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-2307", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268513", "name": "RHBZ#2268513", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T00:26:19.359Z"}, "x_redhatCweChain": "CWE-362->CWE-347: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') leads to Improper Verification of Cryptographic Signature"}}, "cveMetadata": {"cveId": "CVE-2024-2307", "state": "PUBLISHED", "dateUpdated": "2024-11-23T00:26:19.359Z", "dateReserved": "2024-03-07T21:19:24.246Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-03-19T16:16:31.902Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en osbuild-composer. Se puede desencadenar una condici\u00f3n que deshabilite la verificaci\u00f3n GPG para repositorios de paquetes, lo que puede exponer la fase de compilaci\u00f3n a un ataque Man-in-the-Middle, permitiendo que se instale c\u00f3digo que no es de confianza en una imagen que se est\u00e1 compilando."}], "id": "CVE-2024-2307", "lastModified": "2024-11-21T09:09:28.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 0.6, "impactScore": 5.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-03-19T17:15:12.520", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2119"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2961"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-2307"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268513"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:2119"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2024:2961"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/security/cve/CVE-2024-2307"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268513"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2961", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "osbuild-composer-0:101-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2024:2119", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "osbuild-composer-0:101-1.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}], "bugzilla": {"description": "osbuild-composer: race condition may disable GPG verification for package repositories", "id": "2268513", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268513"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L", "status": "verified"}, "cwe": "CWE-362->CWE-347", "details": ["A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.", "A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-2307", "public_date": "2024-03-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-2307\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-2307"], "statement": "The race condition in osbuild-composer that leads to unintentional GPG verification disabling for third-party repositories introduces a moderate severity risk. While the issue can potentially allow the installation of untrusted code into built images, its impact is limited to scenarios where both a third-party repository with GPG-checked RPMs and another repository with GPG checking disabled are concurrently added. Additionally, the insecure setting winning due to the race condition further narrows the circumstances under which the vulnerability can be exploited. However, the potential for bypassing GPG verification in specific configurations poses a tangible risk to the integrity of built images, justifying its classification as a moderate severity issue.", "threat_severity": "Moderate", "upstream_fix": "osbuild-composer 94"}