AZL-64337

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64337.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-64337

Upstream

CVE-2024-11584

Published

2025-06-26T10:15:24Z

Modified

2026-04-21T04:32:21.840078Z

Summary

CVE-2024-11584 affecting package cloud-init for versions less than 24.3.1-2

Details

cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-11584

Affected packages

Azure Linux:3 / cloud-init

Package

Name: cloud-init
Purl: pkg:rpm/azure-linux/cloud-init

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

24.3.1-2

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-64337.json"