CVE-2024-4436 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-4436 PUBLISHED CVSS 7.5 HIGH

The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.

EPSS 0.08% · 23.1th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score

0.08%

23.1th percentile

Affected Products

Vendor	Product	Versions
Red Hat	Red Hat OpenStack Platform 17.1
Red Hat	Red Hat OpenStack Platform 16.2	0:3.3.23-16.el8ost
Red Hat	Red Hat OpenStack Platform 16.1	0:3.3.23-16.el8ost
Red Hat	Red Hat OpenStack Platform 18.0
		etcd-3.3.23-16.el8ost

Timeline

May 8, 2024 CVE Published
May 9, 2024 EPSS Score
Jun 2, 2024 EPSS Score
Jun 26, 2024 EPSS Score
Jul 20, 2024 EPSS Score
Aug 12, 2024 EPSS Score
Sep 5, 2024 EPSS Score
Sep 28, 2024 EPSS Score
Oct 4, 2024 Coalition ESS Score
Oct 22, 2024 EPSS Score
Nov 14, 2024 EPSS Score
Dec 9, 2024 EPSS Score

References

RHSA-2024:3352 vendor-advisory
RHSA-2024:3467 vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-4436 vdb
RHBZ#2279357 issue
https://nvd.nist.gov/vuln/detail/CVE-2024-4436 advisory

Open in Interactive Console →