CVE-2024-52337 — Improper Input Validation in Tuned

CWE-20 — Improper Input Validation6 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 90.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tuned Debian Tuned Msrc Azl3 Tuned 2.21.0-2 ON Azure Linux 3.0 +5 more

Timeline

PublishedNov 26

Description

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. Thi…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

▶debiandebian/tuned< tuned 2.24.1-1 (forky)

▶Debiantuned/tuned< 2.24.1-1+1

▶msrcmsrc/azl3_tuned_2.21.0-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_tuned_2.15.0-5_on_cbl_mariner_2.0

▶msrcmsrc/azure_linux_3.0_arm

🔴Vulnerability Details

OSV

CVE-2024-52337: A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments↗2024-11-26

▶

GHSA

GHSA-8c3c-gvf8-p7v2: A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments↗2024-11-26

▶

📋Vendor Advisories

Red Hat

tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method↗2024-11-26

▶

Microsoft

Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method↗2024-11-12

▶

Debian

CVE-2024-52337: tuned - A log spoofing flaw was found in the Tuned package due to improper sanitization ...↗2024

▶