UBUNTU-CVE-2024-45044

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2024-45044
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-45044.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-45044
Upstream
Published
2024-09-10T15:15:00Z
Modified
2025-10-24T05:12:19Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur.

References

Affected packages

Ubuntu:16.04:LTS / bareos

Package

Name
bareos
Purl
pkg:deb/ubuntu/bareos@14.2.6-3?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

14.*
14.2.5-1
14.2.5-2
14.2.6-1
14.2.6-2
14.2.6-2build1
14.2.6-3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "bareos",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-bat",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-bconsole",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-client",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-common",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-database-common",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-database-mysql",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-database-postgresql",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-database-sqlite3",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-database-tools",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-devel",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-director",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-director-python-plugin",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-filedaemon",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-filedaemon-python-plugin",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-storage",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-storage-fifo",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-storage-python-plugin",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-storage-tape",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-tools",
            "binary_version": "14.2.6-3"
        },
        {
            "binary_name": "bareos-traymonitor",
            "binary_version": "14.2.6-3"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-45044.json"