CVE-2024-52337

EPSS 0.08%
Published 26.11.2024 16:15:17
Last modified 25.02.2025 12:15:31
Source secalert@redhat.com
Teams watchlist Login
Open Login

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.

Affected products Warnungen 0 Metrics 2 CWE 1 References 19

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/redhat-performance/tuned

≫

Package tuned

Default Statusunaffected

Version < 2.24.1

Version 2.23.0

Status affected

VendorRed Hat

≫

Product Fast Datapath for Red Hat Enterprise Linux 7

Default Statusaffected

Version < *

Version 0:2.11.0-5.el7fdp.2

Status unaffected

VendorRed Hat

≫

Product Fast Datapath for Red Hat Enterprise Linux 8

Default Statusaffected

Version < *

Version 0:2.24.0-2.1.20240819gitc082797f.el8fdp

Status unaffected

VendorRed Hat

≫

Product Fast Datapath for Red Hat Enterprise Linux 9

Default Statusaffected

Version < *

Version 0:2.24.0-2.1.20240819gitc082797f.el9fdp

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 7 Extended Lifecycle Support

Default Statusaffected

Version < *

Version 0:2.11.0-13.el7_9

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 7 Extended Lifecycle Support

Default Statusaffected

Version < *

Version 0:2.11.0-13.el7_9

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8

Default Statusaffected

Version < *

Version 0:2.22.1-5.el8_10

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8

Default Statusaffected

Version < *

Version 0:2.22.1-5.el8_10

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

Default Statusaffected

Version < *

Version 0:2.20.0-1.el8_4.2

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Default Statusaffected

Version < *

Version 0:2.20.0-1.el8_4.2

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Default Statusaffected

Version < *

Version 0:2.20.0-1.el8_4.2

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support

Default Statusaffected

Version < *

Version 0:2.20.0-1.el8_6.2

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Default Statusaffected

Version < *

Version 0:2.20.0-1.el8_6.2

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Default Statusaffected

Version < *

Version 0:2.20.0-1.el8_6.2

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 8.8 Extended Update Support

Default Statusaffected

Version < *

Version 0:2.20.0-2.el8_8.1

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 9

Default Statusaffected

Version < *

Version 0:2.24.0-2.el9_5

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 9

Default Statusaffected

Version < *

Version 0:2.24.0-2.el9_5

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 9.2 Extended Update Support

Default Statusaffected

Version < *

Version 0:2.20.0-3.el9_2

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 9.4 Extended Update Support

Default Statusaffected

Version < *

Version 0:2.22.1-3.el9_4

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 10

Default Statusaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 6

Default Statusunknown

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.242

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://access.redhat.com/errata/RHSA-2024:10384

https://access.redhat.com/errata/RHSA-2025:0879

https://access.redhat.com/errata/RHSA-2025:0880

https://security.opensuse.org/2024/11/26/tuned-instance-create.html

https://www.openwall.com/lists/oss-security/2024/11/28/1

https://www.openwall.com/lists/oss-security/2024/11/28/2

https://access.redhat.com/errata/RHSA-2024:10381

https://access.redhat.com/errata/RHSA-2024:11161

https://access.redhat.com/errata/RHSA-2025:0195

https://access.redhat.com/errata/RHSA-2025:0327

https://access.redhat.com/errata/RHSA-2025:0368

https://access.redhat.com/errata/RHSA-2025:0881