{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7383", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-08-01T14:01:54.833Z", "datePublished": "2024-08-05T13:19:13.933Z", "dateUpdated": "2024-11-15T17:54:12.084Z"}, "containers": {"cna": {"title": "Libnbd: nbd server improper certificate validation", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic."}], "affected": [{"versions": [{"status": "affected", "version": "1.18.0", "lessThan": "1.18.5", "versionType": "semver"}, {"status": "affected", "version": "1.20.0", "lessThan": "1.20.2", "versionType": "semver"}], "packageName": "libnbd", "collectionURL": "https://gitlab.com/nbdkit/libnbd", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt-devel:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:rhel", "defaultStatus": "affected", "versions": [{"version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libnbd", "defaultStatus": "affected", "versions": [{"version": "0:1.18.1-4.el9_4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:av/libnbd", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6757", "name": "RHSA-2024:6757", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6964", "name": "RHSA-2024:6964", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7383", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302865", "name": "RHBZ#2302865", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2"}, {"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/ENZY4LHLARA3N4C3JUNLPYUCXHFO7BWQ/"}], "datePublic": "2024-06-25T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "description": "Improper Certificate Validation", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-295: Improper Certificate Validation", "timeline": [{"lang": "en", "time": "2024-08-04T15:38:14.534000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-06-25T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Jon Szymaniak for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-15T17:54:12.084Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T16:15:33.971325Z", "id": "CVE-2024-7383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T16:15:54.882Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-06T16:15:33.971325Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T13:45:17.760Z"}}], "cna": {"title": "Libnbd: nbd server improper certificate validation", "credits": [{"lang": "en", "value": "Red Hat would like to thank Jon Szymaniak for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "1.18.0", "lessThan": "1.18.5", "versionType": "semver"}, {"status": "affected", "version": "1.20.0", "lessThan": "1.20.2", "versionType": "semver"}], "packageName": "libnbd", "collectionURL": "https://gitlab.com/nbdkit/libnbd", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm"}], "packageName": "virt-devel:rhel", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:enterprise_linux:8::crb"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "8100020240905091210.489197e6", "lessThan": "*", "versionType": "rpm"}], "packageName": "virt:rhel", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:1.18.1-4.el9_4", "lessThan": "*", "versionType": "rpm"}], "packageName": "libnbd", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:advanced_virtualization:8::el8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8 Advanced Virtualization", "packageName": "virt:av/libnbd", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-08-04T15:38:14.534000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-06-25T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-06-25T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:6757", "name": "RHSA-2024:6757", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:6964", "name": "RHSA-2024:6964", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-7383", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302865", "name": "RHBZ#2302865", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2"}, {"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/ENZY4LHLARA3N4C3JUNLPYUCXHFO7BWQ/"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-15T17:54:12.084Z"}, "x_redhatCweChain": "CWE-295: Improper Certificate Validation"}}, "cveMetadata": {"cveId": "CVE-2024-7383", "state": "PUBLISHED", "dateUpdated": "2024-11-15T17:54:12.084Z", "dateReserved": "2024-08-01T14:01:54.833Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-08-05T13:19:13.933Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en libnbd. El cliente no siempre verificaba correctamente el certificado del servidor NBD cuando usaba TLS para conectarse a un servidor NBD. Este problema permite un ataque de intermediario al tr\u00e1fico NBD."}], "id": "CVE-2024-7383", "lastModified": "2024-09-25T01:15:45.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-08-05T14:15:35.130", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6757"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:6964"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-7383"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302865"}, {"source": "secalert@redhat.com", "url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2"}, {"source": "secalert@redhat.com", "url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/ENZY4LHLARA3N4C3JUNLPYUCXHFO7BWQ/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Jon Szymaniak for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:6964", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt-devel:rhel-8100020240905091210.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6964", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "virt:rhel-8100020240905091210.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6757", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libnbd-0:1.18.1-4.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-18T00:00:00Z"}], "bugzilla": {"description": "libnbd: NBD server improper certificate validation", "id": "2302865", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2302865"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-295", "details": ["A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.", "A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic."], "name": "CVE-2024-7383", "package_state": [{"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Will not fix", "package_name": "virt:av/libnbd", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}], "public_date": "2024-06-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7383\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7383\nhttps://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2\nhttps://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/ENZY4LHLARA3N4C3JUNLPYUCXHFO7BWQ/"], "statement": "This CVE is rated as Moderate because it requires an active Man-in-the-Middle (MITM) attacker who can intercept and modify the connection's traffic at the TCP/IP layer. While this can compromise the confidentiality and integrity of resources, the vulnerability is considered to be difficult to exploit under normal circumstances.", "threat_severity": "Moderate"}