CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 4CVE-2024-2746 – Incomplete fix for CVE-2024-1929
https://notcve.org/view.php?id=CVE-2024-2746
Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question. On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. • https://github.com/xct/CVE-2024-27460 https://github.com/Alaatk/CVE-2024-27460 https://github.com/Alaatk/CVE-2024-27462 https://github.com/10cks/CVE-2024-27460-installer https://www.openwall.com/lists/oss-security/2024/04/03/5 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1929 – Local Root Exploit via Configuration Dictionary
https://notcve.org/view.php?id=CVE-2024-1929
Local Root Exploit via Configuration Dictionary in dnf5daemon-server before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary. There are issues with the D-Bus interface long before Polkit is invoked. The `org.rpm.dnf.v0.SessionManager.open_session` method takes a key/value map of configuration entries. A sub-entry in this map, placed under the "config" key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the `libdnf5::Base` configuration. Practically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. • https://www.openwall.com/lists/oss-security/2024/03/04/2 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1930 – No Limit on Number of Open Sessions / Bad Session Close Behaviour
https://notcve.org/view.php?id=CVE-2024-1930
No Limit on Number of Open Sessions / Bad Session Close Behaviour in dnf5daemon-server before 5.1.17 allows a malicious user to impact Availability via No Limit on Number of Open Sessions. There is no limit on how many sessions D-Bus clients may create using the `open_session()` D-Bus method. For each session a thread is created in dnf5daemon-server. This spends a couple of hundred megabytes of memory in the process. Further connections will become impossible, likely because no more threads can be spawned by the D-Bus service. Sin límite en el número de sesiones abiertas / mal comportamiento de cierre de sesión en dnf5daemon-server anterior a 5.1.17 permite que un usuario malintencionado afecte la disponibilidad mediante Sin límite en el número de sesiones abiertas. • https://www.openwall.com/lists/oss-security/2024/03/04/2 • CWE-400: Uncontrolled Resource Consumption •