A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
Fixes

Solution

No solution given by the vendor.


Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0008}

epss

{'score': 0.00052}


Wed, 21 May 2025 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10

Wed, 26 Feb 2025 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.2

Tue, 25 Feb 2025 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4

Tue, 25 Feb 2025 12:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.2::appstream
cpe:/a:redhat:rhel_eus:9.2::nfv
cpe:/a:redhat:rhel_eus:9.2::realtime
cpe:/a:redhat:rhel_eus:9.2::sap
cpe:/a:redhat:rhel_eus:9.2::sap_hana
cpe:/o:redhat:rhel_eus:9.2::baseos
References

Tue, 25 Feb 2025 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::nfv
cpe:/a:redhat:rhel_eus:9.4::realtime
cpe:/a:redhat:rhel_eus:9.4::sap
cpe:/a:redhat:rhel_eus:9.4::sap_hana
cpe:/o:redhat:rhel_eus:9.4::baseos
References

Thu, 13 Feb 2025 00:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6

Mon, 03 Feb 2025 20:00:00 +0000


Thu, 16 Jan 2025 12:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::nfv
cpe:/a:redhat:rhel_e4s:8.6::sap
cpe:/a:redhat:rhel_e4s:8.6::sap_hana
cpe:/a:redhat:rhel_tus:8.6::appstream
cpe:/a:redhat:rhel_tus:8.6::nfv
cpe:/a:redhat:rhel_tus:8.6::realtime
cpe:/o:redhat:rhel_aus:8.6::baseos
cpe:/o:redhat:rhel_e4s:8.6::baseos
cpe:/o:redhat:rhel_tus:8.6::baseos
References

Wed, 15 Jan 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_e4s:8.4::appstream
cpe:/a:redhat:rhel_e4s:8.4::sap
cpe:/a:redhat:rhel_e4s:8.4::sap_hana
cpe:/a:redhat:rhel_tus:8.4::appstream
cpe:/a:redhat:rhel_tus:8.4::nfv
cpe:/a:redhat:rhel_tus:8.4::realtime
cpe:/o:redhat:rhel_aus:8.4::baseos
cpe:/o:redhat:rhel_e4s:8.4::baseos
cpe:/o:redhat:rhel_tus:8.4::baseos
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
References

Thu, 09 Jan 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:8.8::appstream
cpe:/a:redhat:rhel_eus:8.8::nfv
cpe:/a:redhat:rhel_eus:8.8::realtime
cpe:/a:redhat:rhel_eus:8.8::sap
cpe:/a:redhat:rhel_eus:8.8::sap_hana
cpe:/o:redhat:rhel_eus:8.8::baseos
Vendors & Products Redhat rhel Eus
References

Wed, 18 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:8

Wed, 18 Dec 2024 08:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:enterprise_linux:8::nfv
cpe:/a:redhat:enterprise_linux:8::realtime
cpe:/a:redhat:enterprise_linux:8::sap
cpe:/a:redhat:enterprise_linux:8::sap_hana
cpe:/o:redhat:enterprise_linux:8::baseos
References

Mon, 02 Dec 2024 08:00:00 +0000

Type Values Removed Values Added
References

Fri, 29 Nov 2024 05:30:00 +0000


Fri, 29 Nov 2024 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Extras Sap Els
Redhat rhel Extras Sap Hana Els
CPEs cpe:/o:redhat:enterprise_linux:7 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::nfv
cpe:/a:redhat:enterprise_linux:9::realtime
cpe:/a:redhat:enterprise_linux:9::sap
cpe:/a:redhat:enterprise_linux:9::sap_hana
cpe:/a:redhat:rhel_extras_sap_els:7
cpe:/a:redhat:rhel_extras_sap_hana_els:7
cpe:/o:redhat:enterprise_linux:9::baseos
Vendors & Products Redhat rhel Extras Sap Els
Redhat rhel Extras Sap Hana Els

Wed, 27 Nov 2024 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
Redhat rhel Extras Rt Els
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_extras_rt_els:7
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
Redhat rhel Extras Rt Els
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 26 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::nfv
cpe:/a:redhat:enterprise_linux:9::realtime
cpe:/a:redhat:enterprise_linux:9::sap
cpe:/a:redhat:enterprise_linux:9::sap_hana
cpe:/a:redhat:rhel_extras_rt_els:7
cpe:/a:redhat:rhel_extras_sap_els:7
cpe:/a:redhat:rhel_extras_sap_hana_els:7
cpe:/o:redhat:enterprise_linux:9::baseos
cpe:/o:redhat:rhel_els:7
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat rhel Els
Redhat rhel Extras Rt Els
Redhat rhel Extras Sap Els
Redhat rhel Extras Sap Hana Els
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 26 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
Redhat rhel Extras Rt Els
Redhat rhel Extras Sap Els
Redhat rhel Extras Sap Hana Els
CPEs cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:9
cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::nfv
cpe:/a:redhat:enterprise_linux:9::realtime
cpe:/a:redhat:enterprise_linux:9::sap
cpe:/a:redhat:enterprise_linux:9::sap_hana
cpe:/a:redhat:rhel_extras_rt_els:7
cpe:/a:redhat:rhel_extras_sap_els:7
cpe:/a:redhat:rhel_extras_sap_hana_els:7
cpe:/o:redhat:enterprise_linux:9::baseos
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els
Redhat rhel Extras Rt Els
Redhat rhel Extras Sap Els
Redhat rhel Extras Sap Hana Els
References

Tue, 26 Nov 2024 15:30:00 +0000

Type Values Removed Values Added
Description A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
Title Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-20
CPEs cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:7::fastdatapath
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:8::fastdatapath
cpe:/o:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:9::fastdatapath
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-04T04:06:31.576Z

Reserved: 2024-11-08T13:09:39.005Z

Link: CVE-2024-52337

cve-icon Vulnrichment

Updated: 2024-11-29T04:33:54.110Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-26T16:15:17.717

Modified: 2025-02-25T12:15:31.000

Link: CVE-2024-52337

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-11-26T12:00:00Z

Links: CVE-2024-52337 - Bugzilla

cve-icon OpenCVE Enrichment

No data.