CVE-2024-3019

NameCVE-2024-3019
DescriptionA flaw was found in PCP. The default pmproxy configuration exposes the Redis server backend to the local network, allowing remote command execution with the privileges of the Redis user. This issue can only be exploited when pmproxy is running. By default, pmproxy is not running and needs to be started manually. The pmproxy service is usually started from the 'Metrics settings' page of the Cockpit web interface. This flaw affects PCP versions 4.3.4 and newer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1068112

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pcp (PTS)bullseye5.2.6-1vulnerable
bookworm6.0.3-1.1vulnerable
forky, trixie6.3.8-1fixed
sid7.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pcpsourcebuster(not affected)
pcpsource(unstable)6.2.1-11068112

Notes

[bookworm] - pcp <no-dsa> (Minor issue)
[bullseye] - pcp <no-dsa> (Minor issue)
[buster] - pcp <not-affected> (Vulnerable code not present)
https://bugzilla.redhat.com/show_bug.cgi?id=2271898
Fixed by: https://github.com/performancecopilot/pcp/commit/3bde240a2acc85e63e2f7813330713dd9b59386e (6.2.1)
Search for package or bug name: Reporting problems