Skip to main content
Version: latest

CVE-2023-26604

CVE Details

Visit the official vulnerability details page for CVE-2023-26604 to learn more.

Initial Publication

11/13/2024

Last Update

12/12/2024

Third Party Dependency

libsystemd0

NIST CVE Summary

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

CVE Severity

7.8

Our Official Summary

This vulnerability is reported on several of the 3rd party cni images used by our products such as calico and multus-cni. The out-of-bounds write vulnerability in the Bzip2 libraries can be exploited by a malicious bzip2 payload, potentially resulting in a denial of service or remote code execution. Network services or command line utilities that decompress untrusted bzip2 payloads are at risk. The risk scenario is low for the following reasons: These images are optional and will be installed depending on the configuration of the deployments; there are no known reports of exploitation from the 3rd party vendors; and these images are not accessible directly for an attacker to send crafted input. We will upgrade the images when the fixes become available from the vendors.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.6.41✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.5.22✅ No Impact✅ No Impact⚠️ Impacted⚠️ Impacted
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

No revisions available.