CVE-2024-8007 - Vulnerability Details

A flaw was found in the openstack-tripleo-common component of the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00318.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat Subscribe	Openstack Subscribe Openstack Platform Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:redhat:openstack_platform:16.1:::::::*
	cpe:2.3:a:redhat:openstack_platform:16.2:::::::*
	cpe:2.3:a:redhat:openstack_platform:17.1:::::::*

Package	CPE	Advisory	Released Date
Red Hat OpenStack Platform 17.1 for RHEL 8
openstack-tripleo-common-0:15.4.1-17.1.20240911093743.e5b18f2.el8ost	cpe:/a:redhat:openstack:17.1::el8	RHSA-2024:9991	2024-11-21T00:00:00Z
python-tripleoclient-0:16.5.1-17.1.20240913093745.f3599d0.el8ost	cpe:/a:redhat:openstack:17.1::el8	RHSA-2024:9991	2024-11-21T00:00:00Z
Red Hat OpenStack Platform 17.1 for RHEL 9
openstack-tripleo-common-0:15.4.1-17.1.20240911100820.e5b18f2.el9ost	cpe:/a:redhat:openstack:17.1::el9	RHSA-2024:9990	2024-11-21T00:00:00Z
python-tripleoclient-0:16.5.1-17.1.20240913100806.f3599d0.el9ost	cpe:/a:redhat:openstack:17.1::el9	RHSA-2024:9990	2024-11-21T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-49528	A flaw was found in the openstack-tripleo-common component of the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:9990
https://access.redhat.com/errata/RHSA-2024:9991
https://access.redhat.com/security/cve/CVE-2024-8007
https://bugzilla.redhat.com/show_bug.cgi?id=2305975
https://nvd.nist.gov/vuln/detail/CVE-2024-8007
https://www.cve.org/CVERecord?id=CVE-2024-8007

History

Mon, 25 Nov 2024 13:45:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:openstack:17.1~~
References		https://access.redhat.com/errata/RHSA-2024:9990 https://access.redhat.com/errata/RHSA-2024:9991

Sat, 23 Nov 2024 00:45:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:openstack:17.1::el8 cpe:/a:redhat:openstack:17.1::el9

Tue, 24 Sep 2024 01:45:00 +0900

Type	Values Removed	Values Added
Description	A flaw was found in the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.	A flaw was found in the openstack-tripleo-common component of the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.
Title	Rhosp-director: rhosp director disables tls verification for registry mirrors	Openstack-tripleo-common: rhosp director disables tls verification for registry mirrors

Wed, 18 Sep 2024 17:00:00 +0900

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Sat, 24 Aug 2024 02:30:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat openstack Platform
CPEs		cpe:2.3:a:redhat:openstack_platform:16.1:::::::* cpe:2.3:a:redhat:openstack_platform:16.2:::::::* cpe:2.3:a:redhat:openstack_platform:17.1:::::::*
Vendors & Products		Redhat openstack Platform

Thu, 22 Aug 2024 00:30:00 +0900

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 Aug 2024 23:00:00 +0900

Type	Values Removed	Values Added
Description	No description is available for this CVE.	A flaw was found in the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.
Title	rhosp-director: RHOSP Director Disables TLS Verification for Registry Mirrors	Rhosp-director: rhosp director disables tls verification for registry mirrors
First Time appeared		Redhat Redhat openstack
CPEs		cpe:/a:redhat:openstack:16.1 cpe:/a:redhat:openstack:16.2 cpe:/a:redhat:openstack:17.1
Vendors & Products		Redhat Redhat openstack
References		https://access.redhat.com/security/cve/CVE-2024-8007 https://bugzilla.redhat.com/show_bug.cgi?id=2305975

Wed, 21 Aug 2024 06:30:00 +0900

Type	Values Removed	Values Added
Description		No description is available for this CVE.
Title		rhosp-director: RHOSP Director Disables TLS Verification for Registry Mirrors
Weaknesses		CWE-295
References		https://nvd.nist.gov/vuln/detail/CVE-2024-8007 https://www.cve.org/CVERecord?id=CVE-2024-8007
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-08-21T13:40:25.242Z

Updated: 2025-11-20T20:57:05.377Z

Reserved: 2024-08-20T11:09:27.802Z

Link: CVE-2024-8007

Vulnrichment

Updated: 2024-08-21T15:06:33.436Z

NVD

Status : Modified

Published: 2024-08-21T14:15:09.753

Modified: 2024-11-25T05:15:12.250

Link: CVE-2024-8007

Redhat

Severity : Moderate

Publid Date: 2024-08-20T00:00:00Z

Links: CVE-2024-8007 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-295

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object