| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.9 | $0-$5k | 0.00 |
Summary
A vulnerability classified as problematic has been found in osbuild-composer up to 93. Affected is an unknown function of the component GPG Handler. The manipulation leads to signature verification. This vulnerability is listed as CVE-2024-2307. The attack must be carried out locally. There is no available exploit. It is recommended to upgrade the affected component.
Details
A vulnerability was found in osbuild-composer up to 93 and classified as problematic. This issue affects some unknown processing of the component GPG Handler. The manipulation with an unknown input leads to a signature verification vulnerability. Using CWE to declare the problem leads to CWE-347. The product does not verify, or incorrectly verifies, the cryptographic signature for data. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
A flaw was found in osbuild-composer. A condition can be triggered that disables GPG verification for package repositories, which can expose the build phase to a Man-in-the-Middle attack, allowing untrusted code to be installed into an image being built.
The advisory is shared at access.redhat.com. The identification of this vulnerability is CVE-2024-2307 since 03/07/2024. The exploitation is known to be easy. An attack has to be approached locally. Additional levels of successful authentication are necessary for exploitation. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available.
Upgrading to version 94 eliminates this vulnerability.
The vulnerability is also documented in the databases at EUVD (EUVD-2024-27262) and CERT Bund (WID-SEC-2024-1003). If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Affected
- Amazon Linux 2
- Red Hat Enterprise Linux
- SUSE Linux
- Oracle Linux
- IBM MQ
- IBM Spectrum Protect Plus
Product
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.0VulDB Meta Temp Score: 4.9
VulDB Base Score: 4.0
VulDB Temp Score: 3.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 6.1
CNA Vector (Red Hat, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Signature verificationCWE: CWE-347 / CWE-345
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: osbuild-composer 94
Timeline
03/07/2024 🔍03/19/2024 🔍
03/19/2024 🔍
08/30/2025 🔍
Sources
Advisory: RHSA-2024:2119Status: Confirmed
CVE: CVE-2024-2307 (🔍)
GCVE (CVE): GCVE-0-2024-2307
GCVE (VulDB): GCVE-100-257333
EUVD: 🔍
CERT Bund: WID-SEC-2024-1003 - Red Hat Enterprise Linux: Mehrere Schwachstellen
Entry
Created: 03/19/2024 18:36Updated: 08/30/2025 21:14
Changes: 03/19/2024 18:36 (62), 05/02/2024 09:11 (1), 04/14/2025 02:45 (4), 07/27/2025 07:06 (7), 08/30/2025 21:14 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.