CVE-2024-3049

A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
redhatCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
clusterlabsbooth
𝑥
< 1.1
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux_eus
8.4
redhatenterprise_linux_eus
8.8
redhatenterprise_linux_eus
9.2
redhatenterprise_linux_for_arm_64
8.0_aarch64:_aarch64
redhatenterprise_linux_for_arm_64
8.8_aarch64:_aarch64
redhatenterprise_linux_for_arm_64
9.2_aarch64:_aarch64
redhatenterprise_linux_for_arm_64
9.4_aarch64:_aarch64
redhatenterprise_linux_for_ibm_z_systems
8.0_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems
9.2_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems
9.4_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems_eus
8.8_s390x:_s390x
redhatenterprise_linux_for_power_little_endian_eus
8.0_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
8.4_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
8.8_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
9.2_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
9.4_ppc64le:_ppc64le
redhatenterprise_linux_server_update_services_for_sap_solutions
8.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
booth
bullseye
vulnerable
bullseye (security)
1.0-237-gdd88847-2+deb11u2
fixed
bookworm
1.0-283-g9d4029a-2+deb12u1
fixed
bookworm (security)
1.0-283-g9d4029a-2+deb12u1
fixed
sid
1.2-3
fixed
trixie
1.2-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
booth
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2024:3657
https://access.redhat.com/errata/RHSA-2024:3658
https://access.redhat.com/errata/RHSA-2024:3659
https://access.redhat.com/errata/RHSA-2024:3660
https://access.redhat.com/errata/RHSA-2024:3661
https://access.redhat.com/errata/RHSA-2024:4400
https://access.redhat.com/errata/RHSA-2024:4411
https://access.redhat.com/security/cve/CVE-2024-3049
https://bugzilla.redhat.com/show_bug.cgi?id=2272082
https://access.redhat.com/errata/RHSA-2024:3657
https://access.redhat.com/errata/RHSA-2024:3658
https://access.redhat.com/errata/RHSA-2024:3659
https://access.redhat.com/errata/RHSA-2024:3660
https://access.redhat.com/errata/RHSA-2024:3661
https://access.redhat.com/errata/RHSA-2024:4400
https://access.redhat.com/errata/RHSA-2024:4411
https://access.redhat.com/security/cve/CVE-2024-3049
https://bugzilla.redhat.com/show_bug.cgi?id=2272082
https://lists.debian.org/debian-lts-announce/2024/09/msg00037.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERCFM3HXFJKLEMMWU3CZLPKH5LZAEDAN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPK5BHYOB7CFFRQAN55YV5LH44PWHMQD/