CVE-2024-45044

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-45044

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45044.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-45044

Aliases

GHSA-jfww-q346-r2r8

Downstream

UBUNTU-CVE-2024-45044

Published

2024-09-10T14:57:57.464Z

Modified

2025-12-05T06:15:50.454480Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Bareos's negative command ACLs can be circumvented by abbreviating commands

Details

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur.

Database specific

{
    "cwe_ids": [
        "CWE-285"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/45xxx/CVE-2024-45044.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/bareos/bareos

Affected ranges

Type

GIT

Repo

https://github.com/bareos/bareos

Events

Introduced

2666e296ffc4693311266f86ca7bd40ce57e607b

Fixed

2e70ad6e57fa7b3c1c52a8eb903b8ce6a633b7e7

Database specific

{
    "versions": [
        {
            "introduced": "23.0.0"
        },
        {
            "fixed": "23.0.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/bareos/bareos

Events

Introduced

9419579469c591093427aa98a6a9dba4225ddf75

Fixed

92a348645c27ad64eb9ceba81df5f74a8c2cb4b2

Database specific

{
    "versions": [
        {
            "introduced": "22.0.0"
        },
        {
            "fixed": "22.1.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/bareos/bareos

Events

Introduced

Fixed

976d9f6667892372397458b52696c9648169d0a0

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "21.1.11"
        }
    ]
}

Affected versions

Release/12.*

Release/12.4.0

Release/12.4.1

Release/15.*

Release/15.2.1

Release/15.2.2

Release/15.2.3

Release/15.2.4

Release/16.*

Release/16.2.4

Release/16.2.4-rc1

Release/16.2.5

Release/16.2.5-win-installer-fix

Release/16.2.6

Release/16.2.7

Release/16.2.8

Release/17.*

Release/17.2.4

Release/17.2.4-rc1

Release/17.2.4-rc2

Release/17.2.5

Release/17.2.6

Release/17.2.7

Release/18.*

Release/18.2.4-rc1

Release/18.2.4-rc2

Release/18.2.5

Release/18.4.1

Release/21.*

Release/21.0.0

Release/21.1.0

Release/21.1.1

Release/21.1.10

Release/21.1.2

Release/21.1.3

Release/21.1.4

Release/21.1.5

Release/21.1.6

Release/21.1.7

Release/21.1.8

Release/21.1.9

Release/22.*

Release/22.0.0

Release/22.0.1

Release/22.0.2

Release/22.0.3

Release/22.1.0

Release/22.1.1

Release/22.1.2

Release/22.1.3

Release/22.1.4

Release/22.1.5

Release/23.*

Release/23.0.0

Release/23.0.1

Release/23.0.2

Release/23.0.3

Release/bacula-5.*

Release/bacula-5.2.13

WIP/17.*

WIP/17.2.8-pre

WIP/19.*

WIP/19.2.4-pre

WIP/20.*

WIP/20.0.0-pre

WIP/21.*

WIP/21.0.0-pre

WIP/21.0.1-pre

WIP/21.1.1-pre

WIP/21.1.10-pre

WIP/21.1.2-pre

WIP/21.1.3-pre

WIP/21.1.4-pre

WIP/21.1.5-pre

WIP/21.1.6-pre

WIP/21.1.7-pre

WIP/21.1.8-pre

WIP/21.1.9-pre

WIP/22.*

WIP/22.0.0-pre

WIP/22.0.1-pre

WIP/22.0.2-pre

WIP/22.0.3-pre

WIP/22.0.4-pre

WIP/22.1.1-pre

WIP/22.1.2-pre

WIP/22.1.3-pre

WIP/22.1.4-pre

WIP/22.1.5-pre

WIP/23.*

WIP/23.0.0-pre

WIP/23.0.1-pre

WIP/23.0.2-pre

WIP/23.0.3-pre

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-45044.json"