Описание
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.
Отчет
This vulnerability requires enabling the pam_env.so's "user_readenv" option. It disabled by default in Fedora and RHEL, and marked as deprecated/unsafe. In Debian/OpenSUSE it has enabled by default.
Меры по смягчению последствий
Disable pam_env's user_readenv option in PAM config.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | cockpit | Not affected | ||
| Red Hat Enterprise Linux 7 | cockpit | Out of support scope | ||
| Red Hat Enterprise Linux 8 | cockpit | Fix deferred | ||
| Red Hat Enterprise Linux 9 | cockpit | Fixed | RHSA-2024:9325 | 12.11.2024 |
| Red Hat Enterprise Linux 9 | cockpit | Fixed | RHSA-2024:9325 | 12.11.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.2 Low
CVSS3
Связанные уязвимости
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.
A flaw was found in the cockpit package. This flaw allows an authentic ...
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.
EPSS
3.2 Low
CVSS3