CVE-2024-28872
HIGHISC Stork 0.15.0-1.15.0 - Improper Certificate Validation
Title source: llmDescription
The TLS certificate validation code is flawed. An attacker can obtain a TLS certificate from the Stork server and use it to connect to the Stork agent. Once this connection is established with the valid certificate, the attacker can send malicious commands to a monitored service (Kea or BIND 9), possibly resulting in confidential data loss and/or denial of service. It should be noted that this vulnerability is not related to BIND 9 or Kea directly, and only customers using the Stork management tool are potentially affected. This issue affects Stork versions 0.15.0 through 1.15.0.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://kb.isc.org/docs/cve-2024-28872
Scores
CVSS v3
8.9
EPSS
0.0019
EPSS Percentile
40.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
isc/stork
0.15.0 - 1.15.1
Published
Jul 11, 2024
Tracked Since
Feb 18, 2026