VDB

CVE-2024-32019

CVE-2024-32019 PUBLISHED CVSS 8.800000190734863 HIGH

Netdata is an open source observability tool. In affected versions the `ndsudo` tool shipped with affected versions of the Netdata Agent allows an attacker to run arbitrary programs with root permissions. The `ndsudo` tool is packaged as a `root`-owned executable with the SUID bit set. It only runs a restricted set of external commands, but its search paths are supplied by the `PATH` environment variable. This allows an attacker to control where `ndsudo` looks for these commands, which may be a path the attacker has write access to. This may lead to local privilege escalation. This vulnerability has been addressed in versions 1.45.3 and 1.45.2-169. Users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS 0.58% · 69.1th percentile

Risk Scores

CVSS v3.1
8.800000190734863
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score
0.58%
69.1th percentile

Affected Products

VendorProductVersions
netdatanetdata>= 1.45.0, < 1.45.3, >= 1.44.0-60, < 1.45.0-169
netdatanetdata1.45.0, 1.44.0-60

Timeline

  • Jan 20, 1970 Fix PR Merged
  • Jan 21, 1970 Security Advisory
  • Apr 12, 2024 CVE Published
  • Apr 12, 2024 CVE Updated
  • Apr 13, 2024 EPSS Score
  • May 8, 2024 EPSS Score
  • Jun 2, 2024 EPSS Score
  • Jun 27, 2024 EPSS Score
  • Jul 22, 2024 EPSS Score
  • Aug 16, 2024 EPSS Score
  • Sep 10, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›