8.8
CVE-2024-32019
- EPSS 1.17%
- Veröffentlicht 12.04.2024 21:15:12
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
ndsudo: local privilege escalation via untrusted search path
Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
Herstellernetdata
≫
Produkt
netdata
Default Statusunknown
Version
1.44.0-60
Version <
1.45.0-169
Status
affected
Version
1.45.0
Version <
1.45.3
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.17% | 0.634 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.8 | 2 | 6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
|
CWE-426 Untrusted Search Path
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
https://github.com/netdata/netdata/pull/17377
https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93