CVE-2024-11003

Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/liske/needrestart/commit/0f80a348883f72279a859ee655f58da34babefb0
https://www.cve.org/CVERecord?id=CVE-2024-10224
https://www.cve.org/CVERecord?id=CVE-2024-11003
https://www.qualys.com/2024/11/19/needrestart/needrestart.txt
https://www.openwall.com/lists/oss-security/2024/11/19/1

Configurations

No configuration.

History

03 Dec 2024, 14:15

Type	Values Removed	Values Added
References		() https://www.openwall.com/lists/oss-security/2024/11/19/1 -
Summary		(es) Qualys descubrió que needrestart, antes de la versión 3.8, pasa datos no desinfectados a una librería (Modules::ScanDeps) que espera una entrada segura. Esto podría permitir que un atacante local ejecute comandos de shell arbitrarios. Consulte el CVE-2024-10224 relacionado en Modules::ScanDeps.

19 Nov 2024, 20:35

Type	Values Removed	Values Added
CWE		CWE-78

19 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-19 18:15

Updated : 2024-12-03 14:15

NVD link : CVE-2024-11003

Mitre link : CVE-2024-11003

CVE.ORG link : CVE-2024-11003

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.8 /10