CVE-2024-8287 HIGH

CVE-2024-8287

Vendor Canonical Ltd.
Product Anbox Cloud
Weakness CWE-295
Published September 18, 2024
Last update September 19, 2024

CVSS base score

7.5/10
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.

Key dates

02Disclosure timeline

September 18, 2024 CVE published
September 19, 2024 Record updated