Refine your search

1 vulnerability found for booth by clusterlabs

CVE-2024-3049 (GCVE-0-2024-3049)
Vulnerability from cvelistv5
Published
2024-06-06 05:30
Modified
2025-11-08 03:10
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE
  • CWE-345 - Insufficient Verification of Data Authenticity
Summary
A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server.
References
https://access.redhat.com/errata/RHSA-2024:3657 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3658 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3659 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3660 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3661 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:4400 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:4411 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-3049 vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2272082 issue-tracking, x_refsource_REDHAT
https://github.com/ClusterLabs/booth/pull/142
Impacted products
Vendor Product Version
Version: 1.0-283.1
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 8 Unaffected: 0:1.1-1.el8_10.1   < *
    cpe:/a:redhat:enterprise_linux:8::highavailability
    cpe:/a:redhat:enterprise_linux:8::resilientstorage
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 8.4 Telecommunications Update Service Unaffected: 0:1.0-199.1.ac1d34c.git.el8_4.2   < *
    cpe:/a:redhat:rhel_tus:8.4::highavailability
    cpe:/a:redhat:rhel_e4s:8.4::highavailability
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Unaffected: 0:1.0-199.1.ac1d34c.git.el8_4.2   < *
    cpe:/a:redhat:rhel_tus:8.4::highavailability
    cpe:/a:redhat:rhel_e4s:8.4::highavailability
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service Unaffected: 0:1.0-199.1.ac1d34c.git.el8_6.2   < *
    cpe:/a:redhat:rhel_e4s:8.6::highavailability
    cpe:/a:redhat:rhel_tus:8.6::highavailability
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Unaffected: 0:1.0-199.1.ac1d34c.git.el8_6.2   < *
    cpe:/a:redhat:rhel_e4s:8.6::highavailability
    cpe:/a:redhat:rhel_tus:8.6::highavailability
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support Unaffected: 0:1.0-283.1.9d4029a.git.el8_8.1   < *
    cpe:/a:redhat:rhel_eus:8.8::resilientstorage
    cpe:/a:redhat:rhel_eus:8.8::highavailability
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:1.1-1.el9_4.1   < *
    cpe:/a:redhat:enterprise_linux:9::resilientstorage
    cpe:/a:redhat:enterprise_linux:9::highavailability
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Unaffected: 0:1.0-251.3.bfb2f92.git.el9_0.2   < *
    cpe:/a:redhat:rhel_e4s:9.0::highavailability
    cpe:/a:redhat:rhel_e4s:9.0::resilientstorage
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support Unaffected: 0:1.0-283.1.9d4029a.git.el9_2.1   < *
    cpe:/a:redhat:rhel_eus:9.2::resilientstorage
    cpe:/a:redhat:rhel_eus:9.2::highavailability
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
 Create a notification for this product.
   Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-3049",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-13T20:24:04.305850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-13T20:24:16.483Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-24T18:03:12.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:3657",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3657"
          },
          {
            "name": "RHSA-2024:3658",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3658"
          },
          {
            "name": "RHSA-2024:3659",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3659"
          },
          {
            "name": "RHSA-2024:3660",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3660"
          },
          {
            "name": "RHSA-2024:3661",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3661"
          },
          {
            "name": "RHSA-2024:4400",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:4400"
          },
          {
            "name": "RHSA-2024:4411",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:4411"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2024-3049"
          },
          {
            "name": "RHBZ#2272082",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272082"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERCFM3HXFJKLEMMWU3CZLPKH5LZAEDAN/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPK5BHYOB7CFFRQAN55YV5LH44PWHMQD/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00037.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/ClusterLabs/booth",
          "defaultStatus": "unaffected",
          "packageName": "booth",
          "versions": [
            {
              "status": "affected",
              "version": "1.0-283.1"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::highavailability",
            "cpe:/a:redhat:enterprise_linux:8::resilientstorage"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1-1.el8_10.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_tus:8.4::highavailability",
            "cpe:/a:redhat:rhel_e4s:8.4::highavailability"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0-199.1.ac1d34c.git.el8_4.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_tus:8.4::highavailability",
            "cpe:/a:redhat:rhel_e4s:8.4::highavailability"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0-199.1.ac1d34c.git.el8_4.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.6::highavailability",
            "cpe:/a:redhat:rhel_tus:8.6::highavailability"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0-199.1.ac1d34c.git.el8_6.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:8.6::highavailability",
            "cpe:/a:redhat:rhel_tus:8.6::highavailability"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0-199.1.ac1d34c.git.el8_6.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:8.8::resilientstorage",
            "cpe:/a:redhat:rhel_eus:8.8::highavailability"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0-283.1.9d4029a.git.el8_8.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::resilientstorage",
            "cpe:/a:redhat:enterprise_linux:9::highavailability"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.1-1.el9_4.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_e4s:9.0::highavailability",
            "cpe:/a:redhat:rhel_e4s:9.0::resilientstorage"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0-251.3.bfb2f92.git.el9_0.2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.2::resilientstorage",
            "cpe:/a:redhat:rhel_eus:9.2::highavailability"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 9.2 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.0-283.1.9d4029a.git.el9_2.1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unknown",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "affected",
          "packageName": "booth",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-05-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-08T03:10:49.077Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:3657",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3657"
        },
        {
          "name": "RHSA-2024:3658",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3658"
        },
        {
          "name": "RHSA-2024:3659",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3659"
        },
        {
          "name": "RHSA-2024:3660",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3660"
        },
        {
          "name": "RHSA-2024:3661",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3661"
        },
        {
          "name": "RHSA-2024:4400",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:4400"
        },
        {
          "name": "RHSA-2024:4411",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:4411"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-3049"
        },
        {
          "name": "RHBZ#2272082",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272082"
        },
        {
          "url": "https://github.com/ClusterLabs/booth/pull/142"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-03-28T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-05-27T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Booth: specially crafted hash can lead to invalid hmac being accepted by booth server",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
        }
      ],
      "x_redhatCweChain": "CWE-345: Insufficient Verification of Data Authenticity"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-3049",
    "datePublished": "2024-06-06T05:30:04.137Z",
    "dateReserved": "2024-03-28T17:17:50.507Z",
    "dateUpdated": "2025-11-08T03:10:49.077Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}