SB2024080814 - Fedora 40 update for opentofu

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024080814

SB2024080814 - Fedora 40 update for opentofu

Published: August 8, 2024

Security Bulletin ID SB2024080814
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Insufficient verification of data authenticity (CVE-ID: CVE-2024-6257)

The vulnerability allows a local user to compromise the affected system.

The vulnerability exists due to the way the Git config is handled by the library. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes. An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.


2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-6104)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data obtain from HTTP requests.


3) Input validation error (CVE-ID: CVE-2024-24789)

The vulnerability allows a remote attacker to manipulate data.

The vulnerability exists due to insufficient validation of user-supplied input in archive/zip when handling zip archives. A remote attacker can create a zip file with content that will vary depending on the implementation reading the file.


Remediation

Install update from vendor's website.

References