Unsanitized Data Passing in Needrestart Could Allow Local Attack
Key Information
- Vendor
- Needrestart
- Status
- Needrestart
- Vendor
- CVE Published:
- 19 November 2024
Badges
Summary
Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.
Affected Version(s)
needrestart < 3.8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Ubuntu affected by 10-year-old flaws in needrestart package
The five vulnerabilities could lead to local privilege escalation without user interaction.
2 weeks ago
Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package
Critical Ubuntu needrestart flaws allow local root privilege escalation; update immediately to safeguard systems.
2 weeks ago
CVSS V3.1
Timeline
- 👾
Exploit exists.
First article discovered by The Hacker News
Vulnerability published.
Vulnerability Reserved.