CVE-2024-22037

Summary

The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.

Affected Software

VendorProductVersion RangeStatus
SUSESUSE Manager Server 5.0? < 0.1.26-150500.3.12.2affected
SUSESUSE Manager Server 5.0? < 0.1.26-150500.3.12.2affected
SUSESUSE Manager Server 5.0? < 0.1.26-150500.3.12.2affected
SUSESUSE Manager Server 5.0? < 0.1.26-150500.3.12.2affected

Weaknesses

  • CWE-497: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References