vulnerability

Red Hat: CVE-2024-52337: tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method (Multiple Advisories)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:C/A:N)	Nov 26, 2024	Jan 10, 2025	Sep 29, 2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:C/A:N)

Published

Nov 26, 2024

Added

Jan 10, 2025

Modified

Sep 29, 2025

Description

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.

Solutions

no-fix-redhat-rpm-packageredhat-upgrade-tunedredhat-upgrade-tuned-gtkredhat-upgrade-tuned-ppdredhat-upgrade-tuned-profiles-atomicredhat-upgrade-tuned-profiles-compatredhat-upgrade-tuned-profiles-cpu-partitioningredhat-upgrade-tuned-profiles-mssqlredhat-upgrade-tuned-profiles-nfvredhat-upgrade-tuned-profiles-nfv-guestredhat-upgrade-tuned-profiles-nfv-hostredhat-upgrade-tuned-profiles-oracleredhat-upgrade-tuned-profiles-postgresqlredhat-upgrade-tuned-profiles-realtimeredhat-upgrade-tuned-profiles-sapredhat-upgrade-tuned-profiles-sap-hanaredhat-upgrade-tuned-profiles-spectrumscaleredhat-upgrade-tuned-utilsredhat-upgrade-tuned-utils-systemtap

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today