CVE-2024-3049

EUVD-2024-31656
A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
clusterlabsbooth
𝑥
< 1.1
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux_eus
8.4
redhatenterprise_linux_eus
8.8
redhatenterprise_linux_eus
9.2
redhatenterprise_linux_for_arm_64
8.0_aarch64:_aarch64
redhatenterprise_linux_for_arm_64
8.8_aarch64:_aarch64
redhatenterprise_linux_for_arm_64
9.2_aarch64:_aarch64
redhatenterprise_linux_for_arm_64
9.4_aarch64:_aarch64
redhatenterprise_linux_for_ibm_z_systems
8.0_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems
9.2_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems
9.4_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems_eus
8.8_s390x:_s390x
redhatenterprise_linux_for_power_little_endian_eus
8.0_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
8.4_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
8.8_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
9.2_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
9.4_ppc64le:_ppc64le
redhatenterprise_linux_server_update_services_for_sap_solutions
8.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
booth
bookworm
1.0-283-g9d4029a-2+deb12u1
fixed
bookworm (security)
1.0-283-g9d4029a-2+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1.0-237-gdd88847-2+deb11u2
fixed
forky
1.2-3
fixed
sid
1.2-3
fixed
trixie
1.2-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
booth
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
xenial
needs-triage
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
booth
RHEL 8
0:1.1-1.el8_10.1
fixed
RHEL 8.4 AUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 E4S
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 TUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.6 E4S
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.6 TUS
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.8 AUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 E4S
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 EUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 TUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 9
0:1.1-1.el9_4.1
fixed
booth-arbitrator
RHEL 8
0:1.1-1.el8_10.1
fixed
RHEL 8.4 AUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 E4S
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 TUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.6 E4S
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.6 TUS
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.8 AUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 E4S
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 EUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 TUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 9
0:1.1-1.el9_4.1
fixed
booth-core
RHEL 8
0:1.1-1.el8_10.1
fixed
RHEL 8.4 AUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 E4S
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 TUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.6 E4S
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.6 TUS
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.8 AUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 E4S
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 EUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 TUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 9
0:1.1-1.el9_4.1
fixed
booth-site
RHEL 8
0:1.1-1.el8_10.1
fixed
RHEL 8.4 AUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 E4S
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 TUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.6 E4S
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.6 TUS
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.8 AUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 E4S
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 EUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 TUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 9
0:1.1-1.el9_4.1
fixed
booth-test
RHEL 8
0:1.1-1.el8_10.1
fixed
RHEL 8.4 AUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 E4S
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.4 TUS
0:1.0-199.1.ac1d34c.git.el8_4.2
fixed
RHEL 8.6 E4S
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.6 TUS
0:1.0-199.1.ac1d34c.git.el8_6.2
fixed
RHEL 8.8 AUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 E4S
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 EUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 8.8 TUS
0:1.0-283.1.9d4029a.git.el8_8.1
fixed
RHEL 9
0:1.1-1.el9_4.1
fixed
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2024:3657
https://access.redhat.com/errata/RHSA-2024:3658
https://access.redhat.com/errata/RHSA-2024:3659
https://access.redhat.com/errata/RHSA-2024:3660
https://access.redhat.com/errata/RHSA-2024:3661
https://access.redhat.com/errata/RHSA-2024:4400
https://access.redhat.com/errata/RHSA-2024:4411
https://access.redhat.com/security/cve/CVE-2024-3049
https://bugzilla.redhat.com/show_bug.cgi?id=2272082
https://github.com/ClusterLabs/booth/pull/142
https://access.redhat.com/errata/RHSA-2024:3657
https://access.redhat.com/errata/RHSA-2024:3658
https://access.redhat.com/errata/RHSA-2024:3659
https://access.redhat.com/errata/RHSA-2024:3660
https://access.redhat.com/errata/RHSA-2024:3661
https://access.redhat.com/errata/RHSA-2024:4400
https://access.redhat.com/errata/RHSA-2024:4411
https://access.redhat.com/security/cve/CVE-2024-3049
https://bugzilla.redhat.com/show_bug.cgi?id=2272082
https://lists.debian.org/debian-lts-announce/2024/09/msg00037.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERCFM3HXFJKLEMMWU3CZLPKH5LZAEDAN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPK5BHYOB7CFFRQAN55YV5LH44PWHMQD/