SB2024112725 - Ubuntu update for needrestart
Published: November 27, 2024 Updated: January 4, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2024-11003)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the application passes unsanitized data to a library (Modules::ScanDeps) which expects safe input. A local user can execute arbitrary OS commands as root.
Note, the vulnerability is related to #VU100773 (CVE-2024-10224).
2) OS Command Injection (CVE-ID: CVE-2024-10224)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper input validation when handling arguments passed to the Perl scripts. A local user can pass specially crafted input to the script and execute arbitrary OS commands on the system.
3) Code Injection (CVE-ID: CVE-2024-48990)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insecure handling of environment variables. A local user can trick the application into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable and execute arbitrary code on the system as root.
4) Race condition (CVE-ID: CVE-2024-48991)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition. A local user can force the application into running a malicious Python interpreter instead the system one and execute arbitrary code as root.
5) Code Injection (CVE-ID: CVE-2024-48992)
The vulnerability allows a local user to escalate privileges on the system.
Remediation
Install update from vendor's website.