CVE-2024-52867 HIGH

CVE-2024-52867

Vendor N/A
Product n/a
Published November 17, 2024
Last update November 20, 2024

CVSS base score

8.1/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AC:H/AV:L/A:H/C:H/I:H/PR:N/S:C/UI:N

What the vulnerability does

01Description

guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed. The vulnerability can be remediated within the product via certain pull, reconfigure, and restart actions. Both 5ab3c4c and 5582241 are needed to resolve the vulnerability.

Key dates

02Disclosure timeline

November 17, 2024 CVE published
November 20, 2024 Record updated