7.8
CVE-2024-52336
- EPSS 0.03%
- Veröffentlicht 26.11.2024 16:15:17
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/redhat-performance/tuned
≫
Paket
tuned
Default Statusunaffected
Version
2.23.0
Version <
2.24.1
Status
affected
HerstellerRed Hat
≫
Produkt
Fast Datapath for Red Hat Enterprise Linux 8
Default Statusaffected
Version
0:2.24.0-2.1.20240819gitc082797f.el8fdp
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Fast Datapath for Red Hat Enterprise Linux 9
Default Statusaffected
Version
0:2.24.0-2.1.20240819gitc082797f.el9fdp
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 9
Default Statusaffected
Version
0:2.24.0-2.el9_5
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 9
Default Statusaffected
Version
0:2.24.0-2.el9_5
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Fast Datapath for RHEL 7
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 10
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 6
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 7
Default Statusunaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8
Default Statusunaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.079 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-269 Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.