CVE-2024-3019

high

Description

A flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.

References

https://bugzilla.redhat.com/show_bug.cgi?id=2271898

https://access.redhat.com/security/cve/CVE-2024-3019

https://access.redhat.com/errata/RHSA-2024:3392

https://access.redhat.com/errata/RHSA-2024:3325

https://access.redhat.com/errata/RHSA-2024:3324

https://access.redhat.com/errata/RHSA-2024:3323

https://access.redhat.com/errata/RHSA-2024:3322

https://access.redhat.com/errata/RHSA-2024:3321

https://access.redhat.com/errata/RHSA-2024:3264

https://access.redhat.com/errata/RHSA-2024:2566

Details

Source: Mitre, NVD

Published: 2024-03-28

Updated: 2024-05-28

Risk Information

CVSS v2

Base Score: 8.3

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High