CVE-2024-6156

EUVD-2024-3419
Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could be bypassed if the client's certificate was present in the trust store.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.8 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
canonicalCNA
3.8 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
canonicallxd
𝑥
< 5.21.2
canonicallxd
4.0.0 ≤
𝑥
< 4.0.10
canonicallxd
5.0.0 ≤
𝑥
< 5.0.4
canonicallxd
5.1 ≤
𝑥
< 5.21.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
incus
bookworm
ignored
forky
6.0.5-7
fixed
sid
6.0.5-7
fixed
trixie
6.0.4-2+deb13u1
ignored
trixie (security)
6.0.4-2+deb13u2
fixed
lxd
bookworm
ignored
bookworm (security)
vulnerable
trixie
ignored
trixie (security)
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
lxd
bionic
needs-triage
focal
needs-triage
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v
https://www.cve.org/CVERecord?id=CVE-2024-6156