CVE-2024-52337

EPSS 0.03%
Veröffentlicht 26.11.2024 16:15:17
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle secalert@redhat.com
CVE-Watchlists
Login
Unerledigt
Login

Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 19

CNA 21 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/redhat-performance/tuned

≫

Paket tuned

Default Statusunaffected

Version 2.23.0

Version < 2.24.1

Status affected

HerstellerRed Hat

≫

Produkt Fast Datapath for Red Hat Enterprise Linux 7

Default Statusaffected

Version 0:2.11.0-5.el7fdp.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Fast Datapath for Red Hat Enterprise Linux 8

Default Statusaffected

Version 0:2.24.0-2.1.20240819gitc082797f.el8fdp

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Fast Datapath for Red Hat Enterprise Linux 9

Default Statusaffected

Version 0:2.24.0-2.1.20240819gitc082797f.el9fdp

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 7 Extended Lifecycle Support

Default Statusaffected

Version 0:2.11.0-13.el7_9

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 7 Extended Lifecycle Support

Default Statusaffected

Version 0:2.11.0-13.el7_9

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8

Default Statusaffected

Version 0:2.22.1-5.el8_10

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8

Default Statusaffected

Version 0:2.22.1-5.el8_10

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

Default Statusaffected

Version 0:2.20.0-1.el8_4.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Default Statusaffected

Version 0:2.20.0-1.el8_4.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Default Statusaffected

Version 0:2.20.0-1.el8_4.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support

Default Statusaffected

Version 0:2.20.0-1.el8_6.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Default Statusaffected

Version 0:2.20.0-1.el8_6.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions

Default Statusaffected

Version 0:2.20.0-1.el8_6.2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 8.8 Extended Update Support

Default Statusaffected

Version 0:2.20.0-2.el8_8.1

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 9

Default Statusaffected

Version 0:2.24.0-2.el9_5

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 9

Default Statusaffected

Version 0:2.24.0-2.el9_5

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 9.2 Extended Update Support

Default Statusaffected

Version 0:2.20.0-3.el9_2

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 9.4 Extended Update Support

Default Statusaffected

Version 0:2.22.1-3.el9_4

Version < *

Status unaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 10

Default Statusaffected

HerstellerRed Hat

≫

Produkt Red Hat Enterprise Linux 6

Default Statusunknown

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.093

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
secalert@redhat.com	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://access.redhat.com/errata/RHSA-2024:10384

https://access.redhat.com/errata/RHSA-2025:0879

https://access.redhat.com/errata/RHSA-2025:0880

https://security.opensuse.org/2024/11/26/tuned-instance-create.html

https://www.openwall.com/lists/oss-security/2024/11/28/1

https://www.openwall.com/lists/oss-security/2024/11/28/2

https://access.redhat.com/errata/RHSA-2024:10381

https://access.redhat.com/errata/RHSA-2024:11161

https://access.redhat.com/errata/RHSA-2025:0195

https://access.redhat.com/errata/RHSA-2025:0327

https://access.redhat.com/errata/RHSA-2025:0368

https://access.redhat.com/errata/RHSA-2025:0881