VDB
GCVE-110-MAGEIA-2024-356
GCVE-110-MAGEIA-2024-356
Advisory Published
A flaw was found in the libreswan client plugin for NetworkManager
(NetkworkManager-libreswan), where it fails to properly sanitize the VPN
configuration from the local unprivileged user. In this configuration,
composed by a key-value format, the plugin fails to escape special
characters, leading the application to interpret values as keys. One of
the most critical parameters that could be abused by a malicious user is
the "leftupdown" key. This key takes an executable command as a value and
is used to specify what executes as a callback in
NetworkManager-libreswan to retrieve configuration settings back to
NetworkManager. As NetworkManager uses Polkit to allow an unprivileged
user to control the system's network configuration, a malicious actor
could achieve local privilege escalation and potential code execution as
root in the targeted machine by creating a malicious configuration.
(CVE-2024-9050)
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | networkmanager-libreswan | 0 (affected), 1.2.24-1.mga9 (unaffected) | — |
Browse GCVE Records
72,921 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.