CVE-2024-52336

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-52336

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

A

script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

References
Link Resource
https://access.redhat.com/errata/RHSA-2024:10384
https://access.redhat.com/errata/RHSA-2025:0879
https://access.redhat.com/errata/RHSA-2025:0880
https://access.redhat.com/security/cve/CVE-2024-52336
https://bugzilla.redhat.com/show_bug.cgi?id=2324540
https://security.opensuse.org/2024/11/26/tuned-instance-create.html
https://www.openwall.com/lists/oss-security/2024/11/28/1
https://security.opensuse.org/2024/11/26/tuned-instance-create.html
https://www.openwall.com/lists/oss-security/2024/11/28/2
Configurations

No configuration.

History

03 Feb 2025, 20:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:0879 -
  • () https://access.redhat.com/errata/RHSA-2025:0880 -

05 Dec 2024, 14:15

Type Values Removed Values Added
CWE CWE-269

02 Dec 2024, 14:15

Type Values Removed Values Added
References
  • () https://www.openwall.com/lists/oss-security/2024/11/28/1 -

29 Nov 2024, 05:15

Type Values Removed Values Added
References
  • () https://security.opensuse.org/2024/11/26/tuned-instance-create.html -
  • () https://www.openwall.com/lists/oss-security/2024/11/28/2 -
Summary
  • (es) Se identificó una vulnerabilidad de inyección de scripts en el paquete Tuned. La función `instance_create()` de D-Bus puede ser invocada por usuarios que hayan iniciado sesión localmente sin autenticación. Esta falla permite que un usuario local sin privilegios ejecute una llamada de D-Bus con opciones `script_pre` o `script_post` que permiten pasar scripts arbitrarios con sus rutas absolutas. Estos scripts o programas ejecutables controlados por el usuario o el atacante podrían ser ejecutados por Tuned con privilegios de superusuario, lo que podría permitir a los atacantes una escalada de privilegios local.

26 Nov 2024, 19:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:10384 -

26 Nov 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-11-26 16:15

Updated : 2025-02-03 20:15

NVD link : CVE-2024-52336

Mitre link : CVE-2024-52336

CVE.ORG link : CVE-2024-52336

JSON object : View

Products Affected

No product.

CWE
CWE-269

Improper Privilege Management