Home > Vulnerability Database > CVE-2024-45044

Mend.io Vulnerability Database

CVE-2024-45044

Date: September 10, 2024

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur.

Language: C++

Severity Score

8.8

Related Resources (5)

Url: https://github.com/bareos/bareos/commit/2a026698b87d13bd1c6275726b5e826702f81dd5

Url: https://github.com/bareos/bareos/pull/1875

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-45044

Url: https://github.com/bareos/bareos/security/advisories/GHSA-jfww-q346-r2r8

Url: https://www.mend.io/vulnerability-database/CVE-2024-45044

Severity Score

8.8

Weakness Type (CWE)

Improper Authorization

CWE-285

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-45044

Date: September 10, 2024

Language: C++

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?