CVE-2024-52336 — Improper Privilege Management in Tuned

CWE-269 — Improper Privilege Management6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 92.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tuned Debian Tuned Msrc Azl3 Tuned 2.21.0-2 ON Azure Linux 3.0 +5 more

Timeline

PublishedNov 26

Description

A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages8 packages

▶debiandebian/tuned< tuned 2.24.1-1 (forky)

▶Debiantuned/tuned< 2.24.1-1+1

▶msrcmsrc/azl3_tuned_2.21.0-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_tuned_2.15.0-5_on_cbl_mariner_2.0

▶msrcmsrc/azure_linux_3.0_arm

🔴Vulnerability Details

OSV

CVE-2024-52336: A script injection vulnerability was identified in the Tuned package↗2024-11-26

▶

GHSA

GHSA-cfjc-m7fv-63xj: A script injection vulnerability was identified in the Tuned package↗2024-11-26

▶

📋Vendor Advisories

Red Hat

tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root↗2024-11-26

▶

Microsoft

Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root↗2024-11-12

▶

Debian

CVE-2024-52336: tuned - A script injection vulnerability was identified in the Tuned package. The `insta...↗2024

▶