CVE-2024-2307

Summary

A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.

Affected Software

VendorProductVersion RangeStatus
0 < 94.0.0affected
Red HatRed Hat Enterprise Linux 80:101-1.el8 < *unaffected
Red HatRed Hat Enterprise Linux 90:101-1.el9 < *unaffected

Weaknesses

  • CWE-347: Improper Verification of Cryptographic Signature

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References