We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
Reserved 2024-11-08 | Published 2024-11-26 | Updated 2024-12-05 | Assigner redhat2024-11-08: | Reported to Red Hat. |
2024-11-26: | Made public. |
Red Hat would like to thank Matthias Gerstner (SUSE Security Team) for reporting this issue.
access.redhat.com/errata/RHSA-2024:10384 (RHSA-2024:10384)
access.redhat.com/security/cve/CVE-2024-52336
bugzilla.redhat.com/show_bug.cgi?id=2324540 (RHBZ#2324540)
security.opensuse.org/2024/11/26/tuned-instance-create.html
www.openwall.com/lists/oss-security/2024/11/28/1
Support options