{
  "threat_severity" : "Moderate",
  "public_date" : "2024-06-25T00:00:00Z",
  "bugzilla" : {
    "description" : "libnbd: NBD server improper certificate validation",
    "id" : "2302865",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2302865"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.", "A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic." ],
  "statement" : "This CVE is rated as Moderate because it requires an active Man-in-the-Middle (MITM) attacker who can intercept and modify the connection's traffic at the TCP/IP layer. While this can compromise the confidentiality and integrity of resources, the vulnerability is considered to be difficult to exploit under normal circumstances.",
  "acknowledgement" : "Red Hat would like to thank Jon Szymaniak for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:6964",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "virt-devel:rhel-8100020240905091210.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:6964",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "virt:rhel-8100020240905091210.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-09-18T00:00:00Z",
    "advisory" : "RHSA-2024:6757",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "libnbd-0:1.18.1-4.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Affected",
    "package_name" : "libnbd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8 Advanced Virtualization",
    "fix_state" : "Will not fix",
    "package_name" : "virt:av/libnbd",
    "cpe" : "cpe:/a:redhat:advanced_virtualization:8::el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-7383\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7383\nhttps://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2\nhttps://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/ENZY4LHLARA3N4C3JUNLPYUCXHFO7BWQ/" ],
  "name" : "CVE-2024-7383",
  "csaw" : false
}