CVE-2024-7383

CVE Details

Release Date:

2024-06-25

Description

A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.

See more information about CVE-2024-7383 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	7.4	CVSS Vector:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector:	Network	Attack Complexity:	High
Privileges Required:	None	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	High
Integrity Impact:	High	Availability Impact:	None

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (hivex)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libguestfs)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libguestfs-winsupport)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libiscsi)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libnbd)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libtpms)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libvirt)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libvirt-dbus)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (libvirt-python)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (nbdkit)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (netcf)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (perl-Sys-Virt)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (qemu-kvm)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (seabios)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (sgabios)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (supermin)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (swtpm)	ELSA-2024-6964	2024-09-24
Oracle Linux version 8 (virt-v2v)	ELSA-2024-6964	2024-09-24
Oracle Linux version 9 (libnbd)	ELSA-2024-6757	2024-09-19