CVSS: 5.9EPSS: 0%CPEs: 21EXPL: 1CVE-2024-3049 – Booth: specially crafted hash can lead to invalid hmac being accepted by booth server
https://notcve.org/view.php?id=CVE-2024-3049
A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server. Se encontró una falla en Booth, un administrador de tickets de clúster. Si se pasa un hash especialmente manipulado a gcry_md_get_algo_dlen(), es posible que el servidor Booth acepte un HMAC no válido. • https://github.com/truonghuuphuc/CVE-2024-30491-Poc https://access.redhat.com/errata/RHSA-2024:3657 https://access.redhat.com/errata/RHSA-2024:3658 https://access.redhat.com/errata/RHSA-2024:3659 https://access.redhat.com/errata/RHSA-2024:3660 https://access.redhat.com/errata/RHSA-2024:3661 https://access.redhat.com/errata/RHSA-2024:4400 https://access.redhat.com/errata/RHSA-2024:4411 https://access.redhat.com/security/cve/CVE-2024-3049 https://bugzilla.redhat.com/sho • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-2553 – booth: authfile directive in booth config file is completely ignored.
https://notcve.org/view.php?id=CVE-2022-2553
The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are not prevented from communicating with other nodes in the cluster. La directiva authfile en el archivo de configuración de booth es ignorada, impidiendo el uso de la autenticación en las comunicaciones de nodo a nodo. Como resultando, los nodos que no presentan la clave de autenticación correcta no son impedidos de comunicarse con otros nodos en el cluster A flaw was found in booth in the way it handles the authfile directive in configuration files, which causes authentication to be skipped between nodes. As a result, an attacker-controlled node that does not have the correct authentication key does not prevent communication with other nodes in the cluster. • https://github.com/ClusterLabs/booth/commit/35bf0b7b048d715f671eb68974fb6b4af6528c67 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4T4TTXAABVUCMPUL7XQ2PH5EYYOOQZY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OHDOFX7NQFH3UGZZA3SGW5SVMDDHIUVD https://www.debian.org/security/2022/dsa-5194 https://access.redhat.com/security/cve/CVE-2022-2553 https://bugzilla.redhat.com/show_bug.cgi?id=2109251 • CWE-287: Improper Authentication •