Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-1929

Опубликовано: 08 мая 2024
Источник: nvd
CVSS3: 7.5
CVSS3: 8.4
EPSS Низкий

Описание

Local Root Exploit via Configuration Dictionary in dnf5daemon-server before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary.

There are issues with the D-Bus interface long before Polkit is invoked. The org.rpm.dnf.v0.SessionManager.open_session method takes a key/value map of configuration entries. A sub-entry in this map, placed under the "config" key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the libdnf5::Base configuration. 

Practically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. There is no sanity checking of the content of this "config" map, which is untrusted data. It is possible to make the library loading a plug-in shared library under control of an unprivileged user, hence achieving root access. 

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:rpm:dnf5:*:*:*:*:*:*:*:*
Версия до 5.1.17 (исключая)

EPSS

Процентиль: 27%
0.00097
Низкий

7.5 High

CVSS3

8.4 High

CVSS3

Дефекты

CWE-20
NVD-CWE-noinfo

Связанные уязвимости

msrc логотип

CVE-2024-1929

CVSS3: 7.5
msrc
5 месяцев назад

Local Root Exploit via Configuration Dictionary

github логотип

GHSA-px8m-3p25-24qw

CVSS3: 7.5
github
больше 1 года назад

Local Root Exploit via Configuration Dictionary in dnf5daemon-server before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary. There are issues with the D-Bus interface long before Polkit is invoked. The `org.rpm.dnf.v0.SessionManager.open_session` method takes a key/value map of configuration entries. A sub-entry in this map, placed under the "config" key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the `libdnf5::Base` configuration.  Practically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. There is no sanity checking of the content of this "config" map, which is untrusted data. It is possible to make the library loading a plug-in shared library under control of an unprivileged user, hence achieving root access. 

EPSS

Процентиль: 27%
0.00097
Низкий

7.5 High

CVSS3

8.4 High

CVSS3

Дефекты

CWE-20
NVD-CWE-noinfo