CVE-2024-22037

Advisory lineage Upstream: 0 Downstream: 5

Downstream

SUSE-RU-2024:4008-1 SUSE-SU-2025:0524-1 SUSE-SU-2025:0525-1 SUSE-SU-2025:0532-1 SUSE-SU-2025:20124-1

Deferred

Published: 28 Nov 2024, 09:46

Last modified:28 Nov 2024, 12:15

Vulnerability Summary

Overall Risk (default)

low

23/100

CVSS Score

5.7 MEDIUM

v4.0 (cve.org)

EPSS Score

0.02% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

28 Nov 2024, 09:46

Published

Vulnerability first disclosed

28 Nov 2024, 12:15

Last Modified

Vulnerability information updated

Description

The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.

CVSS Metrics

v4.0•MEDIUM•Score: 5.7CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L
v4.0•MEDIUM•Score: 5.7CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.02%• Percentile: 7%

Techniques & Countermeasures

CWE-497•Exposure of Sensitive System Information to an Unauthorized Control Sphere
The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Affected Systems

suse•suse manager server 5.0
≥ ?, < 0.1.26-150500.3.12.2

References (1)

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22037