CVE-2024-4436 - Vulnerability Details

- Etcd: incomplete fix for cve-2022-41723 in openstack platform

Description

The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.

Published: 2024-05-08

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

affected

Version	Status	Constraints
`etcd-3.3.23-16.el8ost`	unaffected	< *

Red Hat

Red Hat OpenStack Platform 16.1

affected

Version	Status	Constraints
`0:3.3.23-16.el8ost`	unaffected	< *

Red Hat

Red Hat OpenStack Platform 16.2

affected

Version	Status	Constraints
`0:3.3.23-16.el8ost`	unaffected	< *

Red Hat Red Hat OpenStack Platform 17.1 unaffected —

Red Hat Red Hat OpenStack Platform 18.0 affected —

No data.

Package	CPE	Advisory	Released Date
Red Hat OpenStack Platform 16.1
etcd-0:3.3.23-16.el8ost	cpe:/a:redhat:openstack:16.1::el8	RHSA-2024:3467	2024-05-29T00:00:00Z
Red Hat OpenStack Platform 16.2
etcd-0:3.3.23-16.el8ost	cpe:/a:redhat:openstack:16.2::el8	RHSA-2024:3352	2024-05-23T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-44547	The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00059.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:3352
https://access.redhat.com/errata/RHSA-2024:3467
https://access.redhat.com/security/cve/CVE-2024-4436
https://bugzilla.redhat.com/show_bug.cgi?id=2279357
https://nvd.nist.gov/vuln/detail/CVE-2024-4436
https://www.cve.org/CVERecord?id=CVE-2024-4436

History

Sun, 24 Nov 2024 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Redhat Openstack

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2024-05-08T08:57:12.237Z

Updated: 2025-11-10T13:41:49.139Z

Reserved: 2024-05-02T16:28:27.069Z

Link: CVE-2024-4436

Vulnrichment

Updated: 2024-08-01T20:40:47.221Z

NVD

Status : Deferred

Published: 2024-05-08T09:15:09.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-4436

Redhat

Severity : Moderate

Publid Date: 2024-05-06T00:00:00Z

Links: CVE-2024-4436 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-400

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object