CVE-2024-3019

A flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhatCNA
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Debian logo
Debian Releases
Debian Product
Codename
pcp
bullseye
no-dsa
bookworm
no-dsa
buster
not-affected
sid
6.3.8-1
fixed
trixie
6.3.8-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pcp
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2024:2566
https://access.redhat.com/errata/RHSA-2024:3264
https://access.redhat.com/errata/RHSA-2024:3321
https://access.redhat.com/errata/RHSA-2024:3322
https://access.redhat.com/errata/RHSA-2024:3323
https://access.redhat.com/errata/RHSA-2024:3324
https://access.redhat.com/errata/RHSA-2024:3325
https://access.redhat.com/errata/RHSA-2024:3392
https://access.redhat.com/security/cve/CVE-2024-3019
https://bugzilla.redhat.com/show_bug.cgi?id=2271898
https://access.redhat.com/errata/RHSA-2024:2566
https://access.redhat.com/errata/RHSA-2024:3264
https://access.redhat.com/errata/RHSA-2024:3321
https://access.redhat.com/errata/RHSA-2024:3322
https://access.redhat.com/errata/RHSA-2024:3323
https://access.redhat.com/errata/RHSA-2024:3324
https://access.redhat.com/errata/RHSA-2024:3325
https://access.redhat.com/errata/RHSA-2024:3392
https://access.redhat.com/security/cve/CVE-2024-3019
https://bugzilla.redhat.com/show_bug.cgi?id=2271898