Anbox Management Service vulnerability affects TLS certificate validation
CVE-2024-8287
7.5HIGH
Summary
The Anbox Management Service, encompassing versions 1.17.0 through 1.23.0, suffers from a vulnerability where it fails to adequately validate the TLS certificate from the Anbox Stream Agent. This oversight can facilitate a scenario where an attacker, having access to the internal network, could perform a machine-in-the-middle attack. Such a compromise allows malicious entities to intercept potentially sensitive data exchanged between the service and the agent, thereby posing significant risks to system security. Organizations using affected versions must review their network security measures and implement patches or mitigation strategies to safeguard against unauthorized access.
Affected Version(s)
Anbox Cloud Linux 1.17.0 < 1.23.1
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Credit
Simon Fels
Simon Fels