5.5
CVE-2024-52337
- EPSS 0.3%
- Veröffentlicht 26.11.2024 16:15:17
- Zuletzt bearbeitet 26.06.2026 02:16:51
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method
A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/redhat-performance/tuned
≫
Paket
tuned
Default Statusunaffected
Version
2.23.0
Version <
2.24.1
Status
affected
HerstellerRed Hat
≫
Produkt
Fast Datapath for Red Hat Enterprise Linux 7
Default Statusaffected
Version
0:2.11.0-5.el7fdp.2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Fast Datapath for Red Hat Enterprise Linux 8
Default Statusaffected
Version
0:2.24.0-2.1.20240819gitc082797f.el8fdp
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Fast Datapath for Red Hat Enterprise Linux 9
Default Statusaffected
Version
0:2.24.0-2.1.20240819gitc082797f.el9fdp
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Default Statusaffected
Version
0:2.11.0-13.el7_9
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 7 Extended Lifecycle Support
Default Statusaffected
Version
0:2.11.0-13.el7_9
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8
Default Statusaffected
Version
0:2.22.1-5.el8_10
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8
Default Statusaffected
Version
0:2.22.1-5.el8_10
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Default Statusaffected
Version
0:2.20.0-1.el8_4.2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
Default Statusaffected
Version
0:2.20.0-1.el8_4.2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
Default Statusaffected
Version
0:2.20.0-1.el8_4.2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Default Statusaffected
Version
0:2.20.0-1.el8_6.2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Default Statusaffected
Version
0:2.20.0-1.el8_6.2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Default Statusaffected
Version
0:2.20.0-1.el8_6.2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 8.8 Extended Update Support
Default Statusaffected
Version
0:2.20.0-2.el8_8.1
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 9
Default Statusaffected
Version
0:2.24.0-2.el9_5
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 9
Default Statusaffected
Version
0:2.24.0-2.el9_5
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 9.2 Extended Update Support
Default Statusaffected
Version
0:2.20.0-3.el9_2
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 9.4 Extended Update Support
Default Statusaffected
Version
0:2.22.1-3.el9_4
Version <
*
Status
unaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 10
Default Statusaffected
HerstellerRed Hat
≫
Produkt
Red Hat Enterprise Linux 6
Default Statusunknown
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.212 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 5.5 | 1.8 | 3.6 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
https://access.redhat.com/errata/RHSA-2024:10384
https://access.redhat.com/errata/RHSA-2025:0879
https://access.redhat.com/errata/RHSA-2025:0880
https://security.opensuse.org/2024/11/26/tuned-instance-create.html
https://www.openwall.com/lists/oss-security/2024/11/28/1
https://www.openwall.com/lists/oss-security/2024/11/28/2
https://access.redhat.com/errata/RHSA-2024:10381
https://access.redhat.com/errata/RHSA-2024:11161
https://access.redhat.com/errata/RHSA-2025:0195
https://access.redhat.com/errata/RHSA-2025:0327
https://access.redhat.com/errata/RHSA-2025:0368
https://access.redhat.com/errata/RHSA-2025:0881
https://access.redhat.com/errata/RHSA-2025:1785
https://access.redhat.com/errata/RHSA-2025:1802
https://access.redhat.com/security/cve/CVE-2024-52337
https://bugzilla.redhat.com/show_bug.cgi?id=2324541
https://github.com/redhat-performance/tuned/releases/tag/v2.24.1