NIXPKGS-2025-0011

published on

Permalink CVE-2024-2947

7.3 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

updated 6 months, 3 weeks ago by @Erethon Activity log

Created automatic suggestion 9 months, 3 weeks ago
@Erethon dismissed 9 months, 3 weeks ago
@Erethon accepted 9 months, 3 weeks ago
@Erethon published on GitHub 6 months, 3 weeks ago

Cockpit: command injection when deleting a sosreport with a crafted name

A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.

References

RHSA-2024:3667 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:3843 vendor-advisoryx_transferredx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-2947 x_transferredvdb-entryx_refsource_REDHAT
RHBZ#2271614 x_transferredissue-trackingx_refsource_REDHAT
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred

Affected products

cockpit

*
*
==314

Matching in nixpkgs

pkgs.emacsPackages.test-cockpit

None

nixos-unstable 20240604.1943
- nixpkgs-unstable 20240604.1943

Nixpkgs security tracker

Details of issue NIXPKGS-2025-0011

References

Affected products

Matching in nixpkgs

pkgs.emacsPackages.test-cockpit