Overview
- Description
- A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
- Source
- secalert@redhat.com
- NVD status
- Awaiting Analysis
Risk scores
CVSS 3.1
- Type
- Secondary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Severity
- HIGH
Social media
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
Vulnerabilidades en Linux Tuned Daemon CVE-2024-52336 (CVSS 7.8) CVE-2024-52337 (CVSS 5.5) https://t.co/1YvneDk7wQ
@elhackernet
2 Dec 2024
2255 Impressions
9 Retweets
30 Likes
3 Bookmarks
0 Replies
0 Quotes
CVE-2024-52336 & CVE-2024-52337: Vulnerabilities in Linux Tuned Daemon https://t.co/ECTm09TYlR
@Dinosn
2 Dec 2024
2332 Impressions
4 Retweets
11 Likes
4 Bookmarks
0 Replies
0 Quotes
CVE-2024-52336 & CVE-2024-52337: Vulnerabilities in Linux Tuned Daemon https://t.co/EJ8DVGCRUl
@testalways
2 Dec 2024
104 Impressions
0 Retweets
2 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2024-52336 & CVE-2024-52337: Vulnerabilities in Linux Tuned Daemon Learn about the critical vulnerabilities in #Linux Tuned daemon and the security risks they pose. https://t.co/HEFqbhUIqp
@the_yellow_fall
2 Dec 2024
118 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🗣 CVE-2024-52336 & CVE-2024-52337: Vulnerabilities in Linux Tuned Daemon https://t.co/vEHOLDtH8h
@fridaysecurity
2 Dec 2024
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
tuned: local root exploit in D-Bus method instance_create and other issues in tuned >= 2.23 (CVE-2024-52336, CVE-2024-52337) by Matthias Gerstner (SUSE) https://t.co/E125oic8Q2 Followup on D-Bus client identification by Simon McVittie (Debian) https://t.co/MBZBJ5rdlN
@oss_security
28 Nov 2024
29 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2024-52336 A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authenti… https://t.co/73rLioXzAX
@CVEnew
26 Nov 2024
400 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes