CVE-2024-1929

Local Root Exploit via Configuration Dictionary in dnf5daemon-server before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary. There are issues with the D-Bus interface long before Polkit is invoked. The `org.rpm.dnf.v0.SessionManager.open_session` method takes a key/value map of configuration entries. A sub-entry in this map, placed under the "config" key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the `libdnf5::Base` configuration. Practically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. There is no sanity checking of the content of this "config" map, which is untrusted data. It is possible to make the library loading a plug-in shared library under control of an unprivileged user, hence achieving root access.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.1 / Impact : 5.8

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.openwall.com/lists/oss-security/2024/03/04/2	Exploit Mailing List Third Party Advisory
https://www.openwall.com/lists/oss-security/2024/03/04/2	Exploit Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rpm:dnf5:*:*:*:*:*:*:*:*

History

25 Aug 2025, 13:46

Type	Values Removed	Values Added
CPE		cpe:2.3:a:rpm:dnf5::::::::
First Time		Rpm Rpm dnf5
References	~~() https://www.openwall.com/lists/oss-security/2024/03/04/2 -~~	() https://www.openwall.com/lists/oss-security/2024/03/04/2 - Exploit, Mailing List, Third Party Advisory
CWE		NVD-CWE-noinfo

Information

Published : 2024-05-08 02:15

Updated : 2025-08-25 13:46

NVD link : CVE-2024-1929

Mitre link : CVE-2024-1929

CVE.ORG link : CVE-2024-1929

JSON object : View

Products Affected

rpm

dnf5

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

{"id": "CVE-2024-1929", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 1.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.0}]}, "published": "2024-05-08T02:15:09.300", "references": [{"url": "https://www.openwall.com/lists/oss-security/2024/03/04/2", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "patrick@puiterwijk.org"}, {"url": "https://www.openwall.com/lists/oss-security/2024/03/04/2", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Local Root Exploit via Configuration Dictionary in dnf5daemon-server\u00a0before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary.\n\nThere are issues with the D-Bus interface long before Polkit is invoked. The `org.rpm.dnf.v0.SessionManager.open_session` method takes a key/value map of configuration entries. A sub-entry in this map, placed under the \"config\" key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the `libdnf5::Base` configuration.\u00a0\n\nPractically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. There is no sanity checking of the content of this \"config\" map, which is untrusted data.\u00a0It is possible to make the library loading a plug-in shared library under control of an unprivileged user, hence achieving root access.\u00a0\n\n"}, {"lang": "es", "value": "El exploit de ra\u00edz local a trav\u00e9s del diccionario de configuraci\u00f3n en dnf5daemon-server anterior a 5.1.17 permite que un usuario malintencionado afecte la confidencialidad y la integridad a trav\u00e9s del diccionario de configuraci\u00f3n. Hay problemas con la interfaz D-Bus mucho antes de que se invoque Polkit. El m\u00e9todo `org.rpm.dnf.v0.SessionManager.open_session` toma un mapa clave/valor de las entradas de configuraci\u00f3n. Una subentrada en este mapa, ubicada debajo de la clave \"config\", es otro mapa de clave/valor. Los valores de configuraci\u00f3n que se encuentran en \u00e9l se reenviar\u00e1n como anulaciones de configuraci\u00f3n a la configuraci\u00f3n `libdnf5::Base`. Aqu\u00ed se pueden influir pr\u00e1cticamente todos los aspectos de configuraci\u00f3n de libdnf5. Ya al abrir la sesi\u00f3n a trav\u00e9s de D-Bus, libdnf5 se inicializar\u00e1 utilizando estos valores de configuraci\u00f3n de anulaci\u00f3n. No hay ninguna verificaci\u00f3n de cordura del contenido de este mapa de \"configuraci\u00f3n\", que son datos que no son de confianza. Es posible hacer que la librer\u00eda cargue una librer\u00eda compartida de complemento bajo el control de un usuario sin privilegios, logrando as\u00ed acceso de root."}], "lastModified": "2025-08-25T13:46:40.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rpm:dnf5:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7041198-E221-4AED-B6EB-1689C8131E30", "versionEndExcluding": "5.1.17"}], "operator": "OR"}]}], "sourceIdentifier": "patrick@puiterwijk.org"}