icon

We found results for “

CVE-2024-52336

Date: November 26, 2024

A script injection vulnerability was identified in the Tuned package. The "instance_create()" D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with "script_pre" or "script_post" options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

Language: Python

Severity Score

Severity Score

Weakness Type (CWE)

Improper Privilege Management

CWE-269

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us