CVE-2024-52336
Published: Nov 26, 2024
Modified: Nov 8, 2025
CVSS v3.1
7.8
Description
A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
| Vendor | Product | Versions |
|---|---|---|
Unknown | tuned | affected 2.23.0 - < 2.24.1 |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 8 | unaffected 0:2.24.0-2.1.20240819gitc082797f.el8fdp - < * |
Red Hat | Fast Datapath for Red Hat Enterprise Linux 9 | unaffected 0:2.24.0-2.1.20240819gitc082797f.el9fdp - < * |
Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:2.24.0-2.el9_5 - < * |
Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:2.24.0-2.el9_5 - < * |
Red Hat | Fast Datapath for RHEL 7 | All versions |
Red Hat | Red Hat Enterprise Linux 10 | All versions |
Red Hat | Red Hat Enterprise Linux 6 | All versions |
Red Hat | Red Hat Enterprise Linux 7 | All versions |
Red Hat | Red Hat Enterprise Linux 8 | All versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
References
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now