CVE-2024-3019

NameCVE-2024-3019
DescriptionA flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1068112

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pcp (PTS)buster4.3.2+really4.3.1-0.1vulnerable
bullseye5.2.6-1vulnerable
bookworm6.0.3-1.1vulnerable
trixie6.2.0-1vulnerable
sid6.2.0-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pcpsource(unstable)(unfixed)1068112

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2271898
Fixed by: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e

Search for package or bug name: Reporting problems