CVE-2024-8287

low-risk

Published 2024-09-18

Anbox Management Service, in versions 1.17.0 through 1.23.0, does not validate the TLS certificate provided to it by the Anbox Stream Agent. An attacker must be able to machine-in-the-middle the Anbox Stream Agent from within an internal network before they can attempt to take advantage of this.

Do I need to act?

0.24% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

ADJACENT_NETWORK / HIGH complexity

Affected Products (1)

Anbox Cloud

Affected Vendors

Canonical

References (3)

Vendor Advisory https://bugs.launchpad.net/anbox-cloud/+bug/2077570

Release Notes https://discourse.ubuntu.com/t/anbox-cloud-1-23-1-has-been-released/48141

Third Party Advisory https://www.cve.org/CVERecord?id=CVE-2024-8287

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal