Bareos Fixes Command ACL Issue
CVE-2024-45044

8.8HIGH

Key Information:

Vendor
Bareos
Status
Bareos
Vendor
CVE Published:
10 September 2024

Summary

A vulnerability in Bareos backup software allows users to bypass command access control lists (ACLs) when executing abbreviations of commands. Specifically, if a command ACL prohibits certain commands, users can potentially exploit this by using shorter, abbreviated versions of those commands without triggering the ACL checks. This flaw permits the execution of commands intended to be restricted, such as using 'w' as a shorthand for 'whoami'. This behavior poses risks mainly when negative ACLs are active, enabling unintended command execution. The issue has been resolved in Bareos versions 23.0.4, 22.1.6, and 21.1.11, ensuring proper enforcement of command permissions.

Affected Version(s)

bareos >= 23.0.0, < 23.0.4 < 23.0.0, 23.0.4

bareos >= 22.0.0, < 22.1.6 < 22.0.0, 22.1.6

bareos < 21.1.11 < 21.1.11

References

https://github.com/bareos/bareos/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/bareos/bareos/pull/1875
x_refsource_MISC
https://github.com/bareos/bareos/commit/2a026698b87d13bd1...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.