Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Anbox Cloud by Canonical Ltd.

    CVE-2024-8287 (GCVE-0-2024-8287)

    Vulnerability from nvd – Published: 2024-09-18 18:35 – Updated: 2024-09-19 20:25
    VLAI
    Summary
    Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Ltd. Anbox Cloud Affected: 1.17.0 , < 1.23.1 (semver)
    Create a notification for this product.
    canonical anbox_cloud Affected: 1.17.0 , < 1.23.1 (custom)
        cpe:2.3:a:canonical:anbox_cloud:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Simon Fels Simon Fels
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:canonical:anbox_cloud:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "anbox_cloud",
                "vendor": "canonical",
                "versions": [
                  {
                    "lessThan": "1.23.1",
                    "status": "affected",
                    "version": "1.17.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8287",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T20:23:48.348893Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T20:25:24.637Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "anbox",
              "platforms": [
                "Linux"
              ],
              "product": "Anbox Cloud",
              "vendor": "Canonical Ltd.",
              "versions": [
                {
                  "lessThan": "1.23.1",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simon Fels"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Simon Fels"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T18:52:28.961Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://bugs.launchpad.net/anbox-cloud/+bug/2077570"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2024-8287"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2024-8287",
        "datePublished": "2024-09-18T18:35:25.803Z",
        "dateReserved": "2024-08-28T19:43:49.942Z",
        "dateUpdated": "2024-09-19T20:25:24.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8287 (GCVE-0-2024-8287)

    Vulnerability from cvelistv5 – Published: 2024-09-18 18:35 – Updated: 2024-09-19 20:25
    VLAI
    Summary
    Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    Canonical Ltd. Anbox Cloud Affected: 1.17.0 , < 1.23.1 (semver)
    Create a notification for this product.
    canonical anbox_cloud Affected: 1.17.0 , < 1.23.1 (custom)
        cpe:2.3:a:canonical:anbox_cloud:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Simon Fels Simon Fels
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:canonical:anbox_cloud:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "anbox_cloud",
                "vendor": "canonical",
                "versions": [
                  {
                    "lessThan": "1.23.1",
                    "status": "affected",
                    "version": "1.17.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8287",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-19T20:23:48.348893Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-19T20:25:24.637Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "packageName": "anbox",
              "platforms": [
                "Linux"
              ],
              "product": "Anbox Cloud",
              "vendor": "Canonical Ltd.",
              "versions": [
                {
                  "lessThan": "1.23.1",
                  "status": "affected",
                  "version": "1.17.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Simon Fels"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Simon Fels"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-18T18:52:28.961Z",
            "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
            "shortName": "canonical"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://bugs.launchpad.net/anbox-cloud/+bug/2077570"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://www.cve.org/CVERecord?id=CVE-2024-8287"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "assignerShortName": "canonical",
        "cveId": "CVE-2024-8287",
        "datePublished": "2024-09-18T18:35:25.803Z",
        "dateReserved": "2024-08-28T19:43:49.942Z",
        "dateUpdated": "2024-09-19T20:25:24.637Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }