CVE-2024-11003

Published: Nov 19, 2024Modified: Nov 3, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: security@ubuntu.com (Secondary)

Description

Qualys discovered that needrestart, before version 3.8, passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. This could allow a local attacker to execute arbitrary shell commands. Please see the related CVE-2024-10224 in Modules::ScanDeps.

Affected (1)

Products: Needrestart Project: Needrestart

Needrestart Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Needrestart Project Needrestart	Before 3.8

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (7)

https://github.com/liske/needrestart/commit/0f80a348883f72279a859ee655f58da34babefb0

Source: security@ubuntu.com

Patch

https://www.cve.org/CVERecord?id=CVE-2024-10224

Source: security@ubuntu.com

VDB Entry

https://www.cve.org/CVERecord?id=CVE-2024-11003

Source: security@ubuntu.com

VDB Entry

https://www.qualys.com/2024/11/19/needrestart/needrestart.txt

Source: security@ubuntu.com

Third Party Advisory

http://seclists.org/fulldisclosure/2024/Nov/17

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2024/11/msg00014.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.openwall.com/lists/oss-security/2024/11/19/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

Timeline

No history available yet.