CVE-2024-32019

Published: Apr 12, 2024

Modified: Sep 6, 2024

PUBLISHED

CVSS v3.1

8.8

HIGH

Description

Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
netdata	netdata	affected `>= 1.45.0, < 1.45.3` affected `>= 1.44.0-60, < 1.45.0-169`

Weaknesses (CWE)

CWE-426

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93

x_refsource_CONFIRM

https://github.com/netdata/netdata/pull/17377

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-32019

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References