CVE-2024-8287

Description

Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Canonical Ltd. / Anbox Cloud1.17.0 – 1.23.1

References

VENDOR_ADVISORYhttps://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141
MISChttps://bugs.launchpad.net/anbox-cloud/+bug/2077570
CONFIRMhttps://www.cve.org/CVERecord?id=CVE-2024-8287