{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2746", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-03-20T16:02:36.835Z", "datePublished": "2024-05-08T01:55:10.092Z", "dateUpdated": "2024-08-12T18:29:59.508Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "dnf5daemon-server", "vendor": "Fedora", "versions": [{"status": "affected", "version": "5.1.16"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incomplete fix for CVE-2024-1929<br><br>The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a<br>local root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.<br><br>The dnf5 library code does not check whether non-root users control the directory in question.&nbsp;<br><br>On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file<br>that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.<br>The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics<br>are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.<br><br>Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify<br>a plethora of additional configuration options. This makes various&nbsp;additional code paths in libdnf5 accessible to the attacker."}], "value": "Incomplete fix for CVE-2024-1929\n\nThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\nlocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\n\nThe dnf5 library code does not check whether non-root users control the directory in question.\u00a0\n\nOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\nthat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\nThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\nare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\n\nAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\na plethora of additional configuration options. This makes various\u00a0additional code paths in libdnf5 accessible to the attacker."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-07-12T19:00:40.624Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"}], "source": {"discovery": "UNKNOWN"}, "title": "Incomplete fix for CVE-2024-1929", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:41.295Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.openwall.com/lists/oss-security/2024/04/03/5", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "fedora", "product": "dnf5daemon-server", "cpes": ["cpe:2.3:a:fedora:dnf5daemon-server:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "5.1.16", "status": "affected", "lessThan": "5.1.17", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-08T14:43:25.427605Z", "id": "CVE-2024-2746", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:29:59.508Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.openwall.com/lists/oss-security/2024/04/03/5", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:41.295Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2746", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-08T14:43:25.427605Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:fedora:dnf5daemon-server:*:*:*:*:*:*:*:*"], "vendor": "fedora", "product": "dnf5daemon-server", "versions": [{"status": "affected", "version": "5.1.16", "lessThan": "5.1.17", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-12T18:29:55.352Z"}}], "cna": {"title": "Incomplete fix for CVE-2024-1929", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Fedora", "product": "dnf5daemon-server", "versions": [{"status": "affected", "version": "5.1.16"}], "platforms": ["Linux"], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Incomplete fix for CVE-2024-1929\n\nThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\nlocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\n\nThe dnf5 library code does not check whether non-root users control the directory in question.\u00a0\n\nOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\nthat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\nThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\nare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\n\nAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\na plethora of additional configuration options. This makes various\u00a0additional code paths in libdnf5 accessible to the attacker.", "supportingMedia": [{"type": "text/html", "value": "Incomplete fix for CVE-2024-1929<br><br>The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a<br>local root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.<br><br>The dnf5 library code does not check whether non-root users control the directory in question.&nbsp;<br><br>On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file<br>that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.<br>The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics<br>are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.<br><br>Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify<br>a plethora of additional configuration options. This makes various&nbsp;additional code paths in libdnf5 accessible to the attacker.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-07-12T19:00:40.624Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2746", "state": "PUBLISHED", "dateUpdated": "2024-08-12T18:29:59.508Z", "dateReserved": "2024-03-20T16:02:36.835Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-05-08T01:55:10.092Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "Incomplete fix for CVE-2024-1929\n\nThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\nlocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\n\nThe dnf5 library code does not check whether non-root users control the directory in question.\u00a0\n\nOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\nthat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\nThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\nare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\n\nAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\na plethora of additional configuration options. This makes various\u00a0additional code paths in libdnf5 accessible to the attacker."}, {"lang": "es", "value": "Soluci\u00f3n incompleta para CVE-2024-1929 El problema con CVE-2024-1929 era que el daemon dnf5 D-Bus aceptaba par\u00e1metros de configuraci\u00f3n arbitrarios de usuarios sin privilegios, lo que permit\u00eda un exploit de ra\u00edz local enga\u00f1ando al daemon para que cargara un \"complemento\" controlado por el usuario. Todo esto sucedi\u00f3 incluso antes de que se iniciara la autenticaci\u00f3n Polkit. El c\u00f3digo de la librer\u00eda dnf5 no comprueba si los usuarios no root controlan el directorio en cuesti\u00f3n. Por un lado, esto plantea un vector de ataque de denegaci\u00f3n de servicio al hacer que el daemon opere en un archivo de bloqueo (por ejemplo, un archivo especial llamado FIFO) o un archivo muy grande que causa una situaci\u00f3n de falta de memoria (por ejemplo, /dev/zero). Por otro lado, esto se puede utilizar para permitir que el daemon procese archivos privilegiados como /etc/shadow. El archivo en cuesti\u00f3n se analiza como un archivo INI. Los diagn\u00f3sticos de errores resultantes del an\u00e1lisis de archivos privilegiados podr\u00edan causar fugas de informaci\u00f3n, si estos diagn\u00f3sticos son accesibles para usuarios sin privilegios. Sin embargo, en el caso de libdnf5, no deber\u00eda existir ning\u00fan diagn\u00f3stico accesible para el usuario. Adem\u00e1s, un atacante local puede colocar un archivo de configuraci\u00f3n de repositorio v\u00e1lido en este directorio. Este archivo de configuraci\u00f3n permite especificar una gran cantidad de opciones de configuraci\u00f3n adicionales. Esto hace que el atacante pueda acceder a varias rutas de c\u00f3digo adicionales en libdnf5."}], "id": "CVE-2024-2746", "lastModified": "2024-11-21T09:10:25.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-05-08T02:15:09.677", "references": [{"source": "secalert@redhat.com", "url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{}

{}