UBUNTU-CVE-2024-52336

Source
https://ubuntu.com/security/CVE-2024-52336
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-52336.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-52336
Related
  • CVE-2024-52336
Published
2024-11-26T16:15:00Z
Modified
2024-11-28T04:31:41Z
Summary
[none]
Details

A script injection vulnerability was identified in the Tuned package. The instance_create() D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with script_pre or script_post options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

References

Affected packages

Ubuntu:Pro:18.04:LTS / tuned

Package

Name
tuned
Purl
pkg:deb/ubuntu/tuned?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.8.0-1
2.9.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / tuned

Package

Name
tuned
Purl
pkg:deb/ubuntu/tuned?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.10.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / tuned

Package

Name
tuned
Purl
pkg:deb/ubuntu/tuned?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.15.0-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / tuned

Package

Name
tuned
Purl
pkg:deb/ubuntu/tuned?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.21.0-1ubuntu2
2.22.1-1ubuntu1
2.22.1-1ubuntu3
2.22.1-1ubuntu4

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / tuned

Package

Name
tuned
Purl
pkg:deb/ubuntu/tuned?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.20.0-1
2.20.0-1.1
2.21.0-1
2.21.0-1ubuntu2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}